diff --git a/.cirrus.yml b/.cirrus.yml
index 94b17feaca..961e7351d1 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -160,22 +160,25 @@ env:
   # a solution for the mtime pruning above.
   ZEEK_CCACHE_EPOCH: 2
 
+  # Cache Spicy JIT results.
+  HILTI_CXX_COMPILER_LAUNCHER: ccache
+
 # Linux EOL timelines: https://linuxlifecycle.com/
 # Fedora (~13 months): https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle
 
+fedora38_task:
+  container:
+    # Fedora 38 EOL: Around May 2024
+    dockerfile: ci/fedora-38/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+
 fedora37_task:
   container:
     # Fedora 37 EOL: Around Dec 2024
     dockerfile: ci/fedora-37/Dockerfile
     << : *RESOURCES_TEMPLATE
   << : *CI_TEMPLATE
-
-fedora36_task:
-  container:
-    # Fedora 36 EOL: Around May 2023
-    dockerfile: ci/fedora-36/Dockerfile
-    << : *RESOURCES_TEMPLATE
-  << : *CI_TEMPLATE
   << : *SKIP_TASK_ON_PR
 
 centosstream9_task:
@@ -253,8 +256,9 @@ opensuse_tumbleweed_task:
     # Opensuse Tumbleweed has no EOL
     dockerfile: ci/opensuse-tumbleweed/Dockerfile
     << : *RESOURCES_TEMPLATE
+  prepare_script: ./ci/opensuse-tumbleweed/prepare.sh
   << : *CI_TEMPLATE
-  << : *SKIP_TASK_ON_PR
+#  << : *SKIP_TASK_ON_PR
 
 ubuntu2210_task:
   container:
@@ -611,6 +615,21 @@ container_image_manifest_docker_builder:
     - arm64_container_image
     - amd64_container_image
 
+# Once we've published new images in container_image_manifest, remove any untagged
+# images from the public ECR repository to stay within free-tier bounds.
+public_ecr_cleanup_docker_builder:
+  cpu: 1
+  only_if: >
+    $CIRRUS_CRON == '' && $CIRRUS_REPO_FULL_NAME == 'zeek/zeek' && $CIRRUS_BRANCH == 'master'
+  env:
+    AWS_ACCESS_KEY_ID: ENCRYPTED[!eff52f6442e1bc78bce5b15a23546344df41bf519f6201924cb70c7af12db23f442c0e5f2b3687c2d856ceb11fcb8c49!]
+    AWS_SECRET_ACCESS_KEY: ENCRYPTED[!748bc302dd196140a5fa8e89c9efd148882dc846d4e723787d2de152eb136fa98e8dea7e6d2d6779d94f72dd3c088228!]
+    AWS_REGION: us-east-1
+  cleanup_script:
+    - ./ci/public-ecr-cleanup.sh
+  depends_on:
+    - container_image_manifest
+
 cluster_testing_docker_builder:
   cpu: *CPUS
   memory: *MEMORY
@@ -695,7 +714,7 @@ include_plugins_debian11_task:
       folder: /tmp/ccache
       fingerprint_script: echo builtin-plugins-ccache-$ZEEK_CCACHE_EPOCH-$CIRRUS_TASK_NAME-$CIRRUS_OS
       reupload_on_changes: true
-  build_script: ZEEK_CI_CONFIGURE_FLAGS="${ZEEK_CI_CONFIGURE_FLAGS} --include-plugins='/zeek/testing/builtin-plugins/Files/protocol-plugin;/zeek/testing/builtin-plugins/Files/py-lib-plugin'" ./ci/build.sh
+  build_script: ZEEK_CI_CONFIGURE_FLAGS="${ZEEK_CI_CONFIGURE_FLAGS} --include-plugins='/zeek/testing/builtin-plugins/Files/protocol-plugin;/zeek/testing/builtin-plugins/Files/py-lib-plugin;/zeek/testing/builtin-plugins/Files/zeek-version-plugin'" ./ci/build.sh
   test_script:
     - cd testing/builtin-plugins && ../../auxil/btest/btest -d -b -j ${ZEEK_CI_BTEST_JOBS}
   on_failure:
diff --git a/.cmake-format.json b/.cmake-format.json
new file mode 100644
index 0000000000..ff553dbbe2
--- /dev/null
+++ b/.cmake-format.json
@@ -0,0 +1,80 @@
+{
+    "parse": {
+	"additional_commands": {
+            "CheckIPProto": {
+		"kwargs": {
+                    "_proto": "*"
+		}
+            },
+            "CheckType": {
+		"kwargs": {
+                    "_type": "*",
+                    "_alt_type": "*",
+                    "_var": "*"
+		}
+            },
+	    "SetPackageVersion": {
+		"kwargs": {
+		    "_version": "*"
+		}
+	    },
+	    "SetPackageFileName": {
+		"kwargs": {
+		    "_version": "*"
+		}
+	    },
+	    "SetPackageInstallScripts": {
+		"kwargs": {
+		    "VERSION": "*"
+		}
+	    },
+	    "ConfigurePackaging": {
+		"kwargs": {
+		    "_version": "*"
+		}
+	    },
+	    "SetPackageGenerators": {},
+	    "SetPackageMetadata": {},
+	    "FindRequiredPackage": {
+		"kwargs": {
+		    "packageName": "*"
+		}
+	    },
+	    "InstallClobberImmune": {
+		"kwargs": {
+		    "_srcfile": "*",
+		    "_dstfile": "*"
+		}
+	    },
+	    "InstallPackageConfigFile": {
+		"kwargs": {
+		    "_srcfile": "*",
+		    "_dstdir": "*",
+		    "_dstfilename": "*"
+		}
+	    },
+	    "InstallShellScript": {
+		"kwargs": {
+		    "_srcfile": "*",
+		    "_dstfile": "*"
+		}
+	    },
+	    "InstallSymLink": {
+		"kwargs": {
+		    "_filepath": "*",
+		    "_sympath": "*"
+		}
+	    }
+	}
+    },
+    "format": {
+	"line_width": 100,
+	"tab_size": 4,
+	"separate_ctrl_name_with_space": true,
+	"max_subgroups_hwrap": 3,
+	"line_ending": "unix"
+    },
+    "markup": {
+	"enable_markup": false
+    }
+}
diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml
index d1ba9ad6d2..515fea1992 100644
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@@ -34,7 +34,13 @@ jobs:
         with:
           submodules: "recursive"
 
+      # Only reset the submodule pointer for scheduled builds. The reason to do
+      # this is to pick up any merge commits or anything that may have been
+      # missed in a merge, but not have any actual content. We don't want to do
+      # it otherwise because PRs should just use the submodule they're pointing
+      # at.
       - name: Switch doc submodule to master
+        if: github.event_name == 'schedule'
         run: cd doc && git checkout master
 
       - name: Fetch Dependencies
diff --git a/.gitmodules b/.gitmodules
index e971a79201..fefd52ec42 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -58,11 +58,8 @@
 [submodule "auxil/out_ptr"]
 	path = auxil/out_ptr
 	url = https://github.com/soasis/out_ptr.git
-[submodule "auxil/spicy-plugin"]
-	path = auxil/spicy-plugin
-	url = https://github.com/zeek/spicy-plugin
 [submodule "auxil/spicy"]
-	path = auxil/spicy/spicy
+	path = auxil/spicy
 	url = https://github.com/zeek/spicy
 [submodule "auxil/filesystem"]
 	path = auxil/filesystem
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 50844cf58b..4315bdfbb9 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -17,3 +17,9 @@ repos:
   rev: v0.31.0
   hooks:
   - id: yapf
+
+- repo: https://github.com/cheshirekow/cmake-format-precommit
+  rev: v0.6.13
+  hooks:
+  - id: cmake-format
+    exclude: '^auxil/.*$'
diff --git a/CHANGES b/CHANGES
index 91844488e5..9f36075a4d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,769 @@
+6.1.0-dev.4 | 2023-05-31 13:48:49 -0700
+
+  * Update bifcl, binpac, and broker repos for cmake changes (Tim Wojtulewicz)
+
+  * bison_target argument changes from HEADER to DEFINES_FILE (Tim Wojtulewicz, Corelight)
+
+  * Update cmake submodule [nomail] (Tim Wojtulewicz, Corelight)
+
+  * Start of 6.1.0 development (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.683 | 2023-05-31 09:50:46 +0200
+
+  * Simplify code generated for Spicy analyzer port ranges. (Benjamin Bannier, Corelight)
+
+    We previously would reprent port ranges from EVT files element-wise.
+    This can potentially generate a lot of code (all on a single line
+    though) which some versions of GCC seem to have trouble with, and which
+    also causes JIT overhead.
+
+    With this patch we switch to directly representing ranges. Single ports
+    are represented as ranges `[start, start]`.
+
+    Closes #3094.
+
+  * catch-and-release: Mark cr_check_rule as is_used (Arne Welzel, Corelight)
+
+  * Add test-all-policy-cluster (Arne Welzel, Corelight)
+
+    After the introduction of @if ... analyze, a lot of warnings were
+    triggered due to nested @if and @if .. analyze usage.
+
+    Add a test for coverage of all policy scripts in cluster mode
+    for the usual node types so this does not happen again.
+
+6.0.0-dev.662 | 2023-05-26 20:51:43 +0200
+
+  * Update ZeekJS submodule to 0.9.1 (Arne Welzel, Corelight)
+
+6.0.0-dev.660 | 2023-05-26 10:03:29 +0200
+
+  * CMakeLists: Skip zeek-version.h include for zeek_objs, too (Arne Welzel, Corelight)
+
+    I've continued to see somewhat slower builds after Zeek version bumps. It
+    appears files covered by zeek_objs didn't have -DZEEK_CONFIG_SKIP_VERSION_H
+    set causing ccache invalidation after a version bump.
+
+  * Bump cluster testsuite to latest main (Arne Welzel, Corelight)
+
+6.0.0-dev.657 | 2023-05-25 19:49:20 -0700
+
+  * Fix minor type-clash warning on Windows (Tim Wojtulewicz)
+
+  * Fix Coverity warning involving object copy in TLS binpac code (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.654 | 2023-05-25 20:01:37 +0200
+
+  * Address wire/capture length feedback (Arne Welzel, Corelight)
+
+  * packet_analysis/TCP: Do not use untrusted len for DeliverPacket() (Arne Welzel, Corelight)
+
+    We should not be passing the untrusted TCP header length into
+    DeliverPacket(). Also, DeliverPacket() cap len parameter should
+    be the capture length of the packet, not remaining data.
+
+  * GH-2683: Add regression test using pcap from GH-2683 (Arne Welzel, Corelight)
+
+  * Add btest to test Geneve->VXLAN->Truncated inner packet (Tim Wojtulewicz, Corelight)
+
+  * IP: Update packet->len with accumulated fragment size (Arne Welzel, Corelight)
+
+    With packet->len representing the wire length and other places
+    relying on it, ensure it's updated for fragments as well. This
+    assumes non-truncated fragments right now. Otherwise we'd need
+    to teach the FragmentReassembler to somehow track this independently
+    but it would be a mess.
+
+  * UDP: Forward any remaining data (also empty) to session-analysis (Arne Welzel, Corelight)
+
+    The protocol analyzers are prepared to receive truncated data and
+    this way we give analyzers a chance to look at data. We previously
+    allowed empty data being passed: When len ended up 0 and remaining
+    was 0 too.
+
+  * IPTunnel: Compute inner wire length based on cap_len differences. (Arne Welzel, Corelight)
+
+  * IP: fix weird name to not be ipv6 specific (Tim Wojtulewicz, Corelight)
+
+  * UDP: don't validate checksum if caplen < len (Tim Wojtulewicz, Corelight)
+
+    This may happen with truncated packets and will cause asan builds to bail out
+    before the packet can be forwarded along. The TCP analyzer already has this
+    check, but it's missing for UDP.
+
+  * PIA: Modernize how struct initialization is done (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.643 | 2023-05-25 09:03:40 -0700
+
+  * btest.cfg: Set HILTI_CXX_COMPILER_LAUNCHER based on build/CMakeCache.txt (Arne Welzel, Corelight)
+
+    If CMakeCache.txt indicates the Zeek build was done with ccache,
+    take the CCACHE_PROGRAM:FILEPATH= line and populate the
+    HILTI_CXX_COMPILER_LAUNCHER environment.
+
+    For local development with ccache, this speeds up the spicy tests
+    significantly after the initial run without knowing or needing know
+    that setting HILTI_CXX_COMPILER_LAUNCHER would've helped.
+
+6.0.0-dev.641 | 2023-05-25 09:03:08 -0700
+
+  * Speed up Spicy-related tests. (Benjamin Bannier, Corelight)
+
+    This patch changes invocations of `spicyz` and similar Spicy tools in
+    tests which perform compilation to use debug mode via passing `-d`. This
+    in turn leads to Spicy compiling generated C++ code in debug as opposed
+    to release mode which typically seems to require less CPU time and RAM.
+    For a local test running with `btest -j 16` and no caching via
+    `HILTI_CXX_COMPILER_LAUNCER` this sped up running of BTests under
+    `spicy/` by about 40s on my machine (120s vs 160s).
+
+6.0.0-dev.636 | 2023-05-24 09:41:01 +0200
+
+  * stats: Add zeek-net-packet-lag-seconds metric (Arne Welzel, Corelight)
+
+  * GH-3060: Support negative index lookups for vectors (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.628 | 2023-05-23 19:32:05 +0200
+
+  * ci: Disable openh264 repository on tumbleweed (Arne Welzel, Corelight)
+
+6.0.0-dev.626 | 2023-05-23 17:34:43 +0200
+
+  * Bump cmake to fix build of multiple Spicy analyzers in a package. (Robin Sommer, Corelight)
+
+6.0.0-dev.624 | 2023-05-23 15:45:34 +0200
+
+  * GH-3071: Fix crashing when disable_analyzer() called on root analyzers (Arne Welzel, Corelight)
+
+6.0.0-dev.622 | 2023-05-22 16:38:56 -0700
+
+  * Revert part of previous CMake debug type fix (Tim Wojtulewicz)
+
+6.0.0-dev.620 | 2023-05-22 16:34:06 -0700
+
+  * btest/input/raw: Fix reread test (Arne Welzel, Corelight)
+
+    This seems to have relied on the reading file twice behavior simply
+    testing that 16 lines are observed. Switch to using two separate
+    files and doing a system("mv ...") to trigger the REREAD logic, there's
+    not force_update() needed and it wouldn't do anything if the file
+    hadn't changed anyway.
+
+  * input/Raw: Avoid reading file twice in MODE_REREAD (Arne Welzel, Corelight)
+
+    Found while writing documentation and being confused why
+    all lines and end_of_data() arrive twice during startup.
+
+    The test is a bit fuzzy, but does fail reliably without
+    the changes to Raw.cc
+
+    Also fix not checking dev in the MODE_REREAD path.
+
+    Closes #3053
+
+6.0.0-dev.617 | 2023-05-22 10:14:27 +0200
+
+  * Fix CMAKE_BUILD_TYPE_LOWER definition-vs-use ordering problem (Christian Kreibich, Corelight)
+
+    It needs to be defined by the time we create zeek-config, which happens before
+    its current definition. To avoid a redundant TOLOWER when we check for presence
+    of --enable-debug at the beginning, this also switches this to a case-unadjusted
+    comparison to "Debug", which we use elsewhere in the file too.
+
+6.0.0-dev.614 | 2023-05-19 10:51:35 -0700
+
+  * Allow plugins to call find_package(Zeek) (Dominik Charousset)
+
+6.0.0-dev.611 | 2023-05-19 09:37:39 -0700
+
+  * files: Warn once for missing get_file_handle() (Arne Welzel, Corelight)
+
+    Repeating the message for every new call to get_file_handle() is not
+    very useful. It's pretty much an analyzer configuration issue so logging
+    it once should be enough.
+
+  * MIME: Re-use cur_entity_id for EndOfFile() (Arne Welzel, Corelight)
+
+    If DataIn() was called and a cur_entity_id (file_id) has been produced
+    previously, re-use it for calls to EndOfFile(). This avoids a costly
+    event_mgr.Drain() when we already have that information. It should be safer,
+    too, as `get_file_handle()` in script may generate a different ID and
+    thereby de-synchronizing.
+
+  * zeek-fuzzer-setup: Configure fake DNS (Arne Welzel, Corelight)
+
+    I'm not sure if we somehow set this for oss-fuzz through the environment,
+    but didn't find anything obvious.
+
+    Running oss-fuzz reproducers locally can triggers lookups to malware.hash.cymru.com
+    and potentially other domains due to loading local.zeek.
+
+  * SupportAnalyzer: Stop delivering to disabled parent analyzer (Arne Welzel, Corelight)
+
+    When the parent of a support analyzer has been disabled, short-circuit
+    delivering stream or packet data to it.
+
+    The specific scenario this avoids is the Content-Line analyzer continuing
+    to feed data lines into an disabled SMTP analyzer in turn creating more
+    events.
+
+    This is primarily useful for our fuzzing setup where data chunks up to 1MB
+    are generated and fed into the analyzer pipeline. In the real-world, chunk
+    sizes are usually bounded to packet size. Certain TCP reassembly constellations
+    may trigger these scenarios, however.
+
+    Closes #168
+
+  * Add length checking to ToRawPktHdrVal for truncated packets (Tim Wojtulewicz, Corelight)
+
+  * ftp: No unbounded directory command re-use (Arne Welzel, Corelight)
+
+    OSS-Fuzz generated traffic containing a CWD command with a single very large
+    path argument (427kb) starting with ".___/` \x00\x00...", This is followed
+    by a large number of ftp replies with code 250. The directory logic in
+    ftp_reply() would match every incoming reply with the one pending CWD command,
+    triggering path buildup ending with something 120MB in size.
+
+    Protect from re-using a directory command by setting a flag in the
+    CmdArg record when it was consumed for the path traversal logic.
+
+    This doesn't prevent unbounded path build-up generally, but does prevent the
+    amplification of a single large command with very many small ftp_replies.
+    Re-using a pending path command seems like a bug as well.
+
+6.0.0-dev.605 | 2023-05-18 08:54:41 -0700
+
+  * Fix CMake ordering issue leaving configuration paths unset. (Robin Sommer, Corelight)
+
+6.0.0-dev.602 | 2023-05-17 16:10:57 +0200
+
+  * Add license header to zeek-config*.h and zeek-version.h (Arne Welzel, Corelight)
+
+  * Rename util-config.h to zeek-config-paths.h and install it (Arne Welzel, Corelight)
+
+    The util-config.h has never been installed previously. Skimming the history,
+    it was only meant for inclusion from util.cc, hence the name. Now that it's
+    included from some other headers, rename it to align with what it
+    contains and install it, too.
+
+  * Ensure spicyz/config.h is installed (Arne Welzel, Corelight)
+
+6.0.0-dev.598 | 2023-05-17 12:46:23 +0200
+
+  * Introduce environment variables to override more paths configured
+    into `spicyz` (`ZEEK_SPICY_DATA_PATH`, `ZEEK_SPICY_MODULE_PATH`).
+    (Robin Sommer, Corelight).
+
+  * Fix an ordering issue in Spicy support's CMake config. This led to
+    variables left unset inside the subdirectory. (Robin Sommer,
+    Corelight)
+
+6.0.0-dev.595 | 2023-05-17 10:36:22 +0200
+
+  * Fix get_active_node_count for node types not present. (Jan Grashoefer, Corelight)
+
+6.0.0-dev.592 | 2023-05-17 09:02:09 +0200
+
+  * zeekygen: Render function parameters as :param x: instead of :x: (Arne Welzel, Corelight)
+
+    We're currently rendering parameter descriptions from .bif file into
+    the .rst as follows:
+
+        :cid: The connection identifier.
+
+        :aid: The analyzer ID.
+
+    Switch this to :param cid: instead so that we can have Sphinx deal with
+    this as param docfield and group all parameters into a single section.
+
+    Currently, having the bare :cid: style causes sphinx to treat it as an
+    unknown field type, capitalize it and render it.
+
+6.0.0-dev.589 | 2023-05-16 12:15:07 +0200
+
+  * Move Spicy submodule from `auxil/spicy/spicy` to `auxil/spicy`.
+    (Robin Sommer, Corelight)
+
+6.0.0-dev.587 | 2023-05-16 11:40:40 +0200
+
+  * Integrate Spicy plugin into Zeek proper. (Robin Sommer, Corelight)
+
+    The plugin code is now a part of Zeek, located inside the standard
+    `src/` tree. Going forward, we will maintain it here and phase out
+    the external plugin.
+
+    The integration reflects the `spicy-plugin` code as of
+    `d8c296b81cc2a11`.
+
+    In addition to moving the code into Zeek's source tree, this comes
+    with a couple small functional changes:
+
+    - `spicyz` no longer tries to infer if it's running from the build
+      directory. Instead `ZEEK_SPICY_LIBRARY` can be set to a custom
+      location. `zeek-set-path.sh` does that now.
+
+    - ZEEK_CONFIG can be set to change what `spicyz -z` print out. This is
+      primarily for backwards compatibility.
+
+    The minimum Spicy version is now 1.8 (i.e., current `main` branch
+    at the time of merge).
+
+    For now, this all remains backwards compatible with the current
+    `zkg` analyzer templates so that they work with both external and
+    integrated Spicy support. Later, once we don't need to support any
+    external Spicy plugin versions anymore, we can clean up the
+    templates as well.
+
+  * Add `zkg_provides` to `--build-info`. (Robin Sommer, Corelight)
+
+    This makes dependencies explicit that Zeek provides built-in for
+    `zkg`. It's in support of
+    https://github.com/zeek/package-manager/pull/157.
+
+    For now, `zkg_provides` contains the same data as `included_plugins`
+    plus an entry for `spicy-plugin`.
+
+  * Fix Spicy tuple type conversion. (Robin Sommer, Corelight)
+
+    With an anonymous Spicy-side tuple type, we'd be missing an ID to
+    create a Zeek-side record, leading to undefined behavior. To still
+    support this case, we now make up an ID. In addition, we also could
+    end up not correctly tracking type ID during conversion; using a stack
+    now to handle recursion correctly.
+
+  * Fix generation of Spicy's file IDs. (Robin Sommer, Corelight)
+
+    They weren't stable, and potentially repetitive.
+  * Modernize plugin test. (Robin Sommer, Corelight)
+
+    Not using the `zeek/` include style could lead to path problems.
+
+6.0.0-dev.570 | 2023-05-12 23:29:09 +0200
+
+  * Introduce ZEEK_SEED_VALUES environment variable (Arne Welzel, Corelight)
+
+    For "individually different but deterministic" runs specifying Zeek's
+    seed as an environment variable eases setups as one can avoid creating
+    extra seed files for each of the individual processes.
+
+    It is an error to specify the new ZEEK_SEED_VALUES variable together
+    with the existing ZEEK_SEED_FILE and -G. ZEEK_SEED takes precedence over
+    deterministic mode (-D) like ZEEK_SEED_FILE does today already.
+
+6.0.0-dev.568 | 2023-05-12 13:41:55 -0700
+
+  * enhancements for event-tracing: (Vern Paxson, Corelight)
+      - reporting of potentially sensitive constants
+      - tracking of unsupported types enabling hand-editing to fix them
+      - fixed generation of "unspecified" aggregates
+      - fixed generation of IPv6 constants
+      - fixed generation when running without a packet source
+
+6.0.0-dev.563 | 2023-05-12 10:01:42 -0700
+
+  * Fix memory leak caused by pattern compilation failure (mAsk°)
+
+6.0.0-dev.559 | 2023-05-11 15:01:44 +0100
+
+  * Add DTLSv1.3 support (Johanna Amann, Corelight)
+
+    DTLSv1.3 changes the DTLS record format, introducing a completely new
+    unified header - which is a first for DTLS.
+
+    In case connection IDs are used, parsing of the unified header
+    is skipped. This is due to the fact, that the header then contains a
+    variable length element, with the length of the element not given in the
+    header. Instead, the length is given in the client/server hello message
+    of the opposite side of the connection (which we might have missed).
+
+    Furthermore, parsing is not of a high importance, since we are not
+    passing the connection ID, or any of the other parsed values of the
+    unified header into scriptland.
+
+  * SSL: Fix logging of Hello Retry Requests (Johanna Amann, Corelight)
+
+    It turns out that we never logged hello retry requests correctly in the
+    ssl_history field.
+
+    Hello retry requests are (in their final version) signaled by a specific
+    random value in the server random.
+
+    This commit fixes this oversight, and hello retry requests are now
+    correctly logged as such.
+
+  * remote_event_ts_compat: Fix NETWORK_TIMESTAMP to NetworkTimestamp (Arne Welzel, Corelight)
+
+6.0.0-dev.551 | 2023-05-11 14:00:31 +0200
+
+  * Add compatibility tests for timestamped events. (Jan Grashoefer, Corelight)
+
+    This adds compatibility tests for receiving non-timestamped events as
+    well as providing timestamps via broker websockets.
+
+  * Add timestamps to auto published broker events. (Jan Grashoefer, Corelight)
+
+  * Add timestamps to manually published broker events. (Jan Grashoefer, Corelight)
+
+  * Annotate scheduled events with intended timestamp. (Jan Grashoefer, Corelight)
+
+  * Add timestamp to events. (Jan Grashoefer, Corelight)
+
+6.0.0-dev.544 | 2023-05-11 00:01:20 +0200
+
+  * GH-3028: policy/community-id: Do not use new_connection() (Arne Welzel, Corelight)
+
+    Issue #3028 tracks how a flipped connections reset a connection's value
+    including any state set during new_connection(). For the time being,
+    update community-id functionality back to the original connection_state_remove()
+    approach to avoid missing community_ids on flipped connections.
+
+6.0.0-dev.541 | 2023-05-10 23:16:24 +0200
+
+  * testing/zeek-version-link: Assume nm is there (Arne Welzel, Corelight)
+
+  * Drop dependency for zeek_dynamic_plugin_base (Dominik Charousset, Corelight)
+
+  * Fixup ifdef check in Plugin.h (Arne Welzel, Corelight)
+
+  * Update cmake_minimum_required() in test plugins (Arne Welzel, Corelight)
+
+  * testing: Add zeek-version-link tests (Arne Welzel, Corelight)
+
+  * Clean up ZEEK_CONFIG_SKIP_VERSION_H issues (Dominik Charousset, Corelight)
+
+6.0.0-dev.533 | 2023-05-09 13:38:37 -0700
+
+  * core.network_time.broker: Test reliability improvement (Arne Welzel, Corelight)
+
+    I wasn't able to reproduce this locally, but after looking at
+    -B main-loop,tm for a bit it dawned that if the manager is sending
+    ticks too fast, the Broker IO source may consume two ticks in one go
+    before expiring timers and that would explain the observed baseline
+    differences.
+
+    Solve this by removing the reliance on realtime delays and switch to
+    a request-reply pattern instead.
+
+6.0.0-dev.531 | 2023-05-09 13:38:15 -0700
+
+  * ci: Add public-ecr-vacuum.sh (Arne Welzel, Corelight)
+
+6.0.0-dev.529 | 2023-05-09 12:54:28 -0700
+
+  * Updating submodule(s) [nomail] (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.527 | 2023-05-09 19:11:00 +0200
+
+  * GH-2930: zeek.bif: Add log2() and ceil() (Arne Welzel, Corelight)
+
+6.0.0-dev.525 | 2023-05-09 09:05:51 -0700
+
+  * Use the same rules as cmake submodule to reformat Zeek (Tim Wojtulewicz, Corelight)
+
+  * Update cmake submodule after reformat (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.522 | 2023-05-09 15:19:43 +0200
+
+  * cluster/supervisor: Multi-logger awareness (Arne Welzel, Corelight)
+
+    When multiple loggers are configured in a Supervisor controlled cluster
+    configuration, encode extra information into the rotated filename to
+    identify which logger produced the log.
+
+    This is similar to the approach taken for ZeekControl, re-using the
+    log_suffix terminology, but as there's only a single zeek-archiver
+    process and no postprocessors and no other side-channel for additional
+    information, we encode extra metadata into the filename. zeek-archiver
+    is extended to recognize the special metadata part of the filename.
+
+    This also solves the issue that multiple loggers in a supervisor setup
+    overwrite each others log files within a single log-queue directory.
+
+  * Bump zeek-archiver submodule (Arne Welzel, Corelight)
+
+6.0.0-dev.519 | 2023-05-09 11:03:32 +0200
+
+  * Fixup Val.h/Val.cc: Actually move ValFromJSON into zeek::detail (Arne Welzel, Corelight)
+
+6.0.0-dev.518 | 2023-05-09 10:19:46 +0200
+
+  * Implement from_json bif (Fupeng Zhao)
+
+6.0.0-dev.516 | 2023-05-05 14:08:15 -0700
+
+  * BTest baseline updates for -O gen-C++ (Vern Paxson, Corelight)
+
+  * updates to C++ maintenance scripts to better handle uncompilable BTests (Vern Paxson, Corelight)
+
+  * added ZEEK_REPORT_UNCOMPILABLE environment variable for "-O report-uncompilable" (Vern Paxson, Corelight)
+
+  * BTest baseline updates for ZAM (Vern Paxson, Corelight)
+
+6.0.0-dev.511 | 2023-05-05 21:04:11 +0200
+
+  * Revert "Skip version.h by default for Zeek sources" (Arne Welzel, Corelight)
+
+    This reverts commit 8246baf25c692b658e7a39527f6652e37f5b5095.
+
+    Actually fails the include_plugins CI test and I had just
+    opened another related issue.
+
+6.0.0-dev.510 | 2023-05-05 20:14:21 +0200
+
+  * Skip version.h by default for Zeek sources (Dominik Charousset, Corelight)
+
+6.0.0-dev.508 | 2023-05-05 08:48:10 -0700
+
+  * generate-docs: Only update submodule pointer during scheduled builds (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.505 | 2023-05-04 20:08:33 +0200
+
+  * GH-2998: NTP: Detect out-of-order packets (Arne Welzel, Corelight)
+
+    The NTP mode provides us with the identity of the endpoints. For the
+    simple CLIENT / SERVER modes, flip the connection if we detect
+    orig/resp disagreeing with what the message says. This mainly
+    results in the history getting a ^ and the ntp.log / conn.log
+    showing the corrected endpoints.
+
+6.0.0-dev.503 | 2023-05-04 10:56:33 -0700
+
+  * Include compiler in --show-config output (Dominik Charousset, Corelight)
+
+  * Fix CMake option defaults on Windows (Dominik Charousset, Corelight)
+
+  * Move build defaults from configure to CMake (Dominik Charousset, Corelight)
+
+    Moving the defaults for build variables from the `configure` script to
+    `CMakeLists.txt` gives the same default behavior on platforms where the
+    `configure` script is not available (Windows) and also allows a pure
+    CMake-based work flow (e.g., the standard `cmake -S . -B build`) without
+    having to manually adjust the defaults.
+
+    The `configure` script also becomes much simpler as a result.
+
+6.0.0-dev.498 | 2023-05-04 09:30:18 +0200
+
+  * scripts/smb2-main: Reset script-level state upon smb2_discarded_messages_state() (Arne Welzel, Corelight)
+
+    This is similar to what the external corelight/zeek-smb-clear-state script
+    does, but leverages the smb2_discarded_messages_state() event instead of
+    regularly checking on the state of SMB connections.
+
+    The pcap was created using the dperson/samba container image and mounting
+    a share with Linux's CIFS filesystem, then copying the content of a
+    directory with 100 files. The test uses a BPF filter to imitate mostly
+    "half-duplex" traffic.
+
+  * smb2: Limit per-connection read/ioctl/tree state (Arne Welzel, Corelight)
+
+    Users on Slack observed memory growth in an environment with a lot of
+    SMB traffic. jeprof memory profiling pointed at the offset and fid maps
+    kept per-connection for smb2 read requests.
+
+    These maps can grow unbounded if responses are seen before requests, there's
+    packet drops, just one side of the connection is visible, or we fail to parse
+    responses properly.
+
+    Forcefully wipe out these maps when they grow too large and raise
+    smb2_discarded_messages_state() to notify script land about this.
+
+6.0.0-dev.493 | 2023-05-03 11:13:15 -0700
+
+  * Update Mozilla CA and Google CT lists (Johanna Amann, Corelight)
+
+6.0.0-dev.491 | 2023-05-03 09:31:36 -0700
+
+  * Surround string assignments in zeek-config in quotes (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.489 | 2023-05-03 09:31:19 -0700
+
+  * Remove parser error message for bro_init, et al (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.487 | 2023-05-03 09:30:55 -0700
+
+  * Add additional length check to IEEE 802.11 analyzer (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.484 | 2023-05-03 14:18:03 +0100
+
+  * SSL: do not try to disable failed analyzer (Johanna Amann, Corelight)
+
+    Currently, if a TLS/DTLS analyzer fails with a protocol violation, we
+    will still try to remove the analyzer later, which results in the
+    following error message:
+
+    error: connection does not have analyzer specified to disable
+
+    Now, instead we don't try removing the analyzer anymore, after a
+    violation occurred.
+
+6.0.0-dev.480 | 2023-05-02 20:28:55 +0200
+
+  * ip4_hdr: Add DF, MF, offset and sum fields (Arne Welzel, Corelight)
+
+    For low-level packet analysis use-cases, these fields are currently
+    not script-land accessible via raw_packet() or so. They are accessible
+    on the icmp_context record, but not on the actual ip4_hdr record, so
+    add them.
+
+  * GH-2991: unload: Fix unloading of packages (Arne Welzel, Corelight)
+
+    @ynadji found that unloading packages doesn't work due to @unload not
+    resolving the __load__.zeek file within a directory like @load does.
+
+    Fixes #2991
+
+6.0.0-dev.476 | 2023-05-02 11:12:44 -0700
+
+  * Use workaround for setvbuf on Windows in DebugLogger/Extract file analyzer (Tim Wojtulewicz)
+
+  * Add ifdef'd implementation of setvbuf to zeek::util (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.473 | 2023-05-02 09:42:19 -0700
+
+  * Fix smith-waterman sorting to follow correct Compare semantics (Tim Wojtulewicz)
+
+6.0.0-dev.470 | 2023-04-28 16:33:46 -0700
+
+  * CI: Automatically update opensuse-tumbleweed (Tim Wojtulewicz, Corelight)
+
+  * CI: Remove Fedora 36, add Fedora 38 (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.467 | 2023-04-28 10:01:13 +0200
+
+  * GH-2791: pcap/Source: Allow more than 32bit for link and dropped stats (Arne Welzel, Corelight)
+
+    The PktSrc::Stats object works with 64bit unsigned integers. Unfortunately,
+    libpcap's struct pcap_stat is using 32bit values and users have reported
+    the wrapping of these values being visible in their stats.log roughly every
+    7.5 hours (~160kpps).
+
+    This change moves tracking of link and drop counters into the PktSrc::Stats
+    object (like is done for received and bytes_received) and updates them
+    on a call to PcapSource::Statistics() with the difference to the
+    previous stats values to prevent the wrap from becoming visible to
+    script land.
+
+    This doesn't cover the case of the stats counters wrapping around multiple
+    times between two invocations of PktSrc::Statistics(). With the default
+    interval of 5 minutes for the stats script, this seems acceptable.
+
+    Closes #2791.
+
+  * record_fields: Include information about optionality of fields (Arne Welzel, Corelight)
+
+    This was reported as a wish for log schema generation, so add it...
+
+  * Fix a few warnings from recent changes (Tim Wojtulewicz)
+
+6.0.0-dev.461 | 2023-04-28 09:37:08 +0200
+
+  * Simplify btests using cluster_started event. (Jan Grashoefer, Corelight)
+
+6.0.0-dev.457 | 2023-04-27 11:25:45 -0700
+
+  * Modify Windows test cmd file to actually run tests (Tim Wojtulewicz)
+
+  * Add template file and cmake call for zeek-path setup on Windows (Tim Wojtulewicz)
+
+6.0.0-dev.453 | 2023-04-27 13:22:43 +0200
+
+  * Revert putting plugins into a fresh scope for now (Dominik Charousset, Corelight)
+
+  * Propagate zeek-version.h skip via CMake properties (Dominik Charousset, Corelight)
+
+    Add a define for `ZEEK_CONFIG_SKIP_VERSION_H` to static plugins as well
+    as to dynamic plugins that we build alongside Zeek. When including
+    `zeek-config.h` with this macro defined, the header skips including
+    `zeek-version.h`.
+
+6.0.0-dev.449 | 2023-04-27 12:16:46 +0200
+
+  * Bump zeekctl to multi-logger version (Arne Welzel, Corelight)
+
+  * logging: Support rotation_postprocessor_command_env (Arne Welzel, Corelight)
+
+    This new table provides a mechanism to add environment variables to the
+    postprocessor execution. Use case is from ZeekControl to inject a suffix
+    to be used when running with multiple logger.
+
+6.0.0-dev.445 | 2023-04-27 09:08:45 +0200
+
+  * Update ZeekJS submodule to 0.9.0 (Arne Welzel, Corelight)
+
+    * Performance improvements for the Redis Log::log_stream_policy example
+      around PortVal wrapping and caching field offsets for property lookups.
+    * Debug output is now channeled through PLUGIN_DBG_LOG() and available via
+      zeek -B plugin-Zeek-JavaScript instead of unconditionally on stderr.
+    * Reduced CMake output when Node.js isn't found
+
+6.0.0-dev.443 | 2023-04-26 12:42:48 -0700
+
+  * extend ZEEK_PROFILER_FILE profiling to include summaries for functions/hooks/event handlers (Vern Paxson, Corelight)
+
+6.0.0-dev.441 | 2023-04-26 15:37:59 +0200
+
+  * Update AF-Packet submodule (Arne Welzel, Corelight)
+
+    Include Tim's cleanup and modernization fixes, too.
+
+  * Update AF-Packet submodule (Arne Welzel, Corelight)
+
+    * Mask VLAN ID from tp_vlan_tci field to fix vlan > 4095 reported by Zeek
+      when PCP and/or DEI bits are set.
+    * Descriptive error message when interface is down. Instead of
+      "Invalid argument", Zeek now reports "interface is down".
+
+6.0.0-dev.437 | 2023-04-25 13:07:57 -0700
+
+  * Update docs and NEWS to include LLC, SNAP, and Novell packet analyzers (Tim Wojtulewicz)
+
+  * Fix length checks in VLAN/Ethernet analyzers for non-ethertype protocols (Tim Wojtulewicz, Corelight)
+
+  * Add forwarding from VLAN analyzer into LLC, SNAP, and Novell 802.3 analyzers (Tim Wojtulewicz, Corelight)
+
+  * Remove non-standard way of forwarding out of the Ethernet analyzer (Tim Wojtulewicz, Corelight)
+
+  * Add basic LLC, SNAP, and Novell 802.3 packet analyzers (Tim Wojtulewicz, Corelight)
+
+  * ARP: add support for IEEE802 hardware type (Tim Wojtulewicz, Corelight)
+
+6.0.0-dev.430 | 2023-04-25 11:37:44 -0700
+
+  * Merge branch 'topic/timw/2167-aruba-expansion' (Tim Wojtulewicz)
+
+    * topic/timw/2167-aruba-expansion:
+      Add NEWS entry about 802.11 and ARUBA changes
+      Remove workaround for tunnels from IEEE 802.11 analyzer
+      PPP in the GRE analyzer is actually PP*T*P
+      Add support for 802.11 A-MSDU aggregates
+      Fix IEEE 802.11 analyzer to properly forward tunneled packets
+      Fix IEEE 802.11 analyzer to skip packets with the Protected bit enabled
+      Expand support for Aruba protocol types in GRE analyzer
+      Default tunnel_type in iosource::Packet to NONE
+
+  * Add NEWS entry about 802.11 and ARUBA changes (Tim Wojtulewicz)
+
+  * Remove workaround for tunnels from IEEE 802.11 analyzer (Tim Wojtulewicz, Corelight)
+
+  * PPP in the GRE analyzer is actually PP*T*P (Tim Wojtulewicz, Corelight)
+
+  * Add support for 802.11 A-MSDU aggregates (Tim Wojtulewicz, Corelight)
+
+  * Fix IEEE 802.11 analyzer to properly forward tunneled packets (Tim Wojtulewicz, Corelight)
+
+    This mostly happens with Aruba, but could possibly happen with other tunnels too.
+
+  * Fix IEEE 802.11 analyzer to skip packets with the Protected bit enabled (Tim Wojtulewicz, Corelight)
+
+  * Expand support for Aruba protocol types in GRE analyzer (Tim Wojtulewicz, Corelight)
+
+    This also fixes the GRE analyzer to forward into the IEEE 802.11 analyzer
+    if it encounters Aruba packets with the proper protocol types. This way
+    the QoS header can be handled correctly.
+
+  * Default tunnel_type in iosource::Packet to NONE (Tim Wojtulewicz, Corelight)
+
 6.0.0-dev.421 | 2023-04-25 12:39:01 +0200
 
   * Given the -C flag, set script-layer ignore_checksums to true. (Christian Kreibich, Corelight)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 992aaca2b4..5938c37898 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2,24 +2,79 @@
 # auxil/zeek-aux/plugin-support/skeleton/CMakeLists.txt
 cmake_minimum_required(VERSION 3.15.0 FATAL_ERROR)
 
-if ( WIN32 )
+if (WIN32)
     # Enable usage of CMAKE_MSVC_RUNTIME_LIBRARY variable
     cmake_policy(SET CMP0091 NEW)
-endif()
+endif ()
 
 project(Zeek C CXX)
 
+# We want to set ENABLE_DEBUG to ON by default if the build type is Debug.
+set(ENABLE_DEBUG_DEFAULT OFF)
+if (NOT GENERATOR_IS_MULTI_CONFIG)
+    string(TOLOWER "${CMAKE_BUILD_TYPE}" _build_type_lower)
+    if (_build_type_lower STREQUAL "debug")
+        set(ENABLE_DEBUG_DEFAULT ON)
+    endif ()
+    unset(_build_type_lower)
+endif ()
+
+# On UNIX, install additional Zeek tools by default and build shared objects.
+if (NOT WIN32)
+    set(ZEEK_INSTALL_TOOLS_DEFAULT ON)
+    option(BUILD_SHARED_LIBS "Build targets as shared libraries." ON)
+else ()
+    set(ZEEK_INSTALL_TOOLS_DEFAULT OFF)
+endif ()
+
+# CMake options (Boolean flags).
+option(ENABLE_DEBUG "Build Zeek with additional debugging support." ${ENABLE_DEBUG_DEFAULT})
+option(ENABLE_JEMALLOC "Link against jemalloc." OFF)
+option(ENABLE_PERFTOOLS "Build with support for Google perftools." OFF)
+option(ENABLE_ZEEK_UNIT_TESTS "Build the C++ unit tests." ON)
+option(INSTALL_AUX_TOOLS "Install additional tools from auxil." ${ZEEK_INSTALL_TOOLS_DEFAULT})
+option(INSTALL_BTEST "Install btest alongside Zeek." ${ZEEK_INSTALL_TOOLS_DEFAULT})
+option(INSTALL_BTEST_PCAPS "Install pcap files for testing." ${ZEEK_INSTALL_TOOLS_DEFAULT})
+option(INSTALL_ZEEKCTL "Install zeekctl." ${ZEEK_INSTALL_TOOLS_DEFAULT})
+option(INSTALL_ZEEK_ARCHIVER "Install the zeek-archiver." ${ZEEK_INSTALL_TOOLS_DEFAULT})
+option(INSTALL_ZEEK_CLIENT "Install the zeek-client." ${ZEEK_INSTALL_TOOLS_DEFAULT})
+option(INSTALL_ZKG "Install zkg." ${ZEEK_INSTALL_TOOLS_DEFAULT})
+option(PREALLOCATE_PORT_ARRAY "Pre-allocate all ports for zeek::Val." ON)
 option(ZEEK_STANDALONE "Build Zeek as stand-alone binary?" ON)
-option(ENABLE_ZEEK_UNIT_TESTS "Build the C++ (doctest) unit tests?" ON)
-set(CMAKE_EXPORT_COMPILE_COMMANDS ON
-    CACHE INTERNAL "Write JSON compile commands database")
+
+# Non-boolean options.
+if (NOT WIN32)
+    if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+        set(CMAKE_INSTALL_PREFIX "/usr/local/zeek"
+            CACHE PATH "Install directory used by install()." FORCE)
+    endif ()
+    # On windows, this defaults to "c:/Program Files/${PROJECT_NAME}":
+    # https://cmake.org/cmake/help/v3.15/variable/CMAKE_INSTALL_PREFIX.html.
+endif ()
+
+set(ZEEK_SCRIPT_INSTALL_PATH "${CMAKE_INSTALL_PREFIX}/share/zeek"
+    CACHE PATH "Install directory for Zeek scripts.")
+
+set(ZEEK_ETC_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/etc"
+    CACHE PATH "Install directory for Zeek configuration files.")
+
+set(CMAKE_EXPORT_COMPILE_COMMANDS ON CACHE INTERNAL
+                                           "Whether to write a JSON compile commands database")
+
 set(ZEEK_CXX_STD cxx_std_17 CACHE STRING "The C++ standard to use.")
 
+set(ZEEK_SANITIZERS "" CACHE STRING "Sanitizers to use when building.")
+
+set(CPACK_SOURCE_IGNORE_FILES "" CACHE STRING "Files to be ignored by CPack")
+
+set(ZEEK_INCLUDE_PLUGINS "" CACHE STRING "Extra plugins to add to the build.")
+
+# Look into the build tree for additional CMake modules.
 list(APPEND CMAKE_MODULE_PATH ${CMAKE_BINARY_DIR})
 list(APPEND CMAKE_PREFIX_PATH ${CMAKE_BINARY_DIR})
 
 # Windows: Configure runtime and dependencies
-if ( MSVC )
+if (MSVC)
     # Remove existing runtime flags
     set(CompilerFlags
         CMAKE_CXX_FLAGS
@@ -29,9 +84,8 @@ if ( MSVC )
         CMAKE_C_FLAGS
         CMAKE_C_FLAGS_DEBUG
         CMAKE_C_FLAGS_RELEASE
-        CMAKE_C_FLAGS_RELWITHDEBINFO
-    )
-    foreach(CompilerFlag ${CompilerFlags})
+        CMAKE_C_FLAGS_RELWITHDEBINFO)
+    foreach (CompilerFlag ${CompilerFlags})
         string(REGEX REPLACE "[/|-]MDd" "" ${CompilerFlag} "${${CompilerFlag}}")
         string(REGEX REPLACE "[/|-]MD" "" ${CompilerFlag} "${${CompilerFlag}}")
         string(REGEX REPLACE "[/|-]MTd" "" ${CompilerFlag} "${${CompilerFlag}}")
@@ -39,15 +93,13 @@ if ( MSVC )
         string(REGEX REPLACE "[/|-]Zi" "" ${CompilerFlag} "${${CompilerFlag}}")
         string(REGEX REPLACE "[/|-]W3" "" ${CompilerFlag} "${${CompilerFlag}}")
         string(REGEX REPLACE "[/|-]W4" "" ${CompilerFlag} "${${CompilerFlag}}")
-    endforeach()
+    endforeach ()
 
     # Set compilation flags for Windows
-    add_compile_options(
-        /guard:cf # required by CheckCFlags
-        /Z7)      # required by CheckCFlags
+    add_compile_options(/guard:cf # required by CheckCFlags
+                        /Z7) # required by CheckCFlags
 
-    add_link_options(
-        /debug:full # required by CheckCFlags
+    add_link_options(/debug:full # required by CheckCFlags
     )
 
     # Set always to static runtime
@@ -64,22 +116,21 @@ if ( MSVC )
     set(OPENSSL_USE_STATIC_LIBS true)
     set(OPENSSL_MSVC_STATIC_RT true)
 
-    if ( ZEEK_STANDALONE )
+    if (ZEEK_STANDALONE)
         include(${CMAKE_SOURCE_DIR}/cmake/conan.cmake)
         conan_cmake_autodetect(settings)
         # Install packages from conanfile
         conan_cmake_install(PATH_OR_REFERENCE ${CMAKE_SOURCE_DIR}/ci/windows/conanfile_windows.txt
-                            BUILD missing
-                            SETTINGS ${settings})
-    endif()
+                            BUILD missing SETTINGS ${settings})
+    endif ()
 
     # Set LibPCAP to point to libpcap binaries.
-    if ( NOT PCAP_ROOT_DIR )
+    if (NOT PCAP_ROOT_DIR)
         find_package(libpcap)
         set(PCAP_ROOT_DIR "${libpcap_LIB_DIRS}/../")
         set(PCAP_INCLUDE_DIR ${libpcap_INCLUDES})
         set(PCAP_LIBRARY ${libpcap_LIBS})
-    endif()
+    endif ()
 
     set(LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER false)
 
@@ -95,7 +146,8 @@ if ( MSVC )
     add_definitions(-DCARES_STATICLIB)
 
     add_subdirectory(auxil/libunistd)
-    set(UNISTD_INCLUDES ${CMAKE_SOURCE_DIR}/auxil/libunistd/unistd ${CMAKE_SOURCE_DIR}/auxil/libunistd/regex)
+    set(UNISTD_INCLUDES ${CMAKE_SOURCE_DIR}/auxil/libunistd/unistd
+                        ${CMAKE_SOURCE_DIR}/auxil/libunistd/regex)
     include_directories(BEFORE ${UNISTD_INCLUDES})
     # Required for `check_include_files` to operate correctly
     list(APPEND CMAKE_REQUIRED_INCLUDES ${UNISTD_INCLUDES})
@@ -117,8 +169,10 @@ include(cmake/CommonCMakeConfig.cmake)
 include(cmake/FindClangTidy.cmake)
 include(cmake/CheckCompilerArch.cmake)
 
-########################################################################
-## Main targets and utilities.
+string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER)
+
+# ##############################################################################
+# Main targets and utilities.
 
 # Variable for referring back to Zeek's top-level source dir. Used for plugins
 # to tell them where to find the Zeek headers.
@@ -128,14 +182,17 @@ set(ZEEK_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
 # zeek-plugin-create-package.sh. Needed by ZeekPluginConfig.cmake.in.
 set(ZEEK_PLUGIN_SCRIPTS_PATH "${PROJECT_SOURCE_DIR}/cmake")
 
-# Our C++17 base target for propagating compiler and linker flags.
-# Note: for now, we only use it for passing library dependencies around.
+# Our C++17 base target for propagating compiler and linker flags. Note: for
+# now, we only use it for passing library dependencies around.
 add_library(zeek_internal INTERFACE)
 add_library(Zeek::Internal ALIAS zeek_internal)
 set_target_properties(zeek_internal PROPERTIES EXPORT_NAME Internal)
 install(TARGETS zeek_internal EXPORT ZeekTargets)
 target_compile_features(zeek_internal INTERFACE ${ZEEK_CXX_STD})
 
+# Skip "link-time version check" in Plugin.h for plugins that we bake in.
+target_compile_definitions(zeek_internal INTERFACE ZEEK_PLUGIN_SKIP_VERSION_CHECK)
+
 # Target for bundling the creation of auto-generated files.
 add_custom_target(zeek_autogen_files)
 
@@ -148,11 +205,11 @@ if (ZEEK_STANDALONE)
     set_target_properties(zeek_exe PROPERTIES RUNTIME_OUTPUT_NAME zeek)
     if (NOT CMAKE_RUNTIME_OUTPUT_DIRECTORY)
         set_target_properties(zeek_exe PROPERTIES RUNTIME_OUTPUT_DIRECTORY src)
-    endif()
+    endif ()
     install(TARGETS zeek_exe RUNTIME DESTINATION bin)
     # Export symbols from zeek executable for use by plugins
     set_target_properties(zeek_exe PROPERTIES ENABLE_EXPORTS ON)
-    if ( MSVC )
+    if (MSVC)
         set(WINDOWS_EXPORT_ALL_SYMBOLS ON)
     endif ()
     # Tell zeek_target_link_libraries to add library dependencies as PRIVATE.
@@ -163,7 +220,7 @@ if (ZEEK_STANDALONE)
     endif ()
 else ()
     add_library(zeek_lib STATIC)
-endif()
+endif ()
 
 if (TARGET zeek_lib)
     target_link_libraries(zeek_lib PRIVATE $<BUILD_INTERFACE:zeek_internal>)
@@ -171,31 +228,38 @@ if (TARGET zeek_lib)
     set_target_properties(zeek_lib PROPERTIES RUNTIME_OUTPUT_NAME libzeek)
     if (NOT CMAKE_LIBRARY_OUTPUT_DIRECTORY)
         set_target_properties(zeek_lie PROPERTIES LIBRARY_OUTPUT_DIRECTORY src)
-    endif()
+    endif ()
     install(TARGETS zeek_lib LIBRARY DESTINATION lib)
     # Tell zeek_target_link_libraries to add library dependencies as PRIVATE.
     set(zeek_lib_access PRIVATE)
-endif()
+endif ()
 
 # When building our fuzzers, we also need one extra top-level target that
 # bundles all of our object libraries and other dependencies.
-if ( ZEEK_ENABLE_FUZZERS )
+if (ZEEK_ENABLE_FUZZERS)
     add_library(zeek_fuzzer_shared SHARED)
     target_link_libraries(zeek_fuzzer_shared PUBLIC $<BUILD_INTERFACE:zeek_internal>)
     # Tell zeek_target_link_libraries to add library dependencies as PUBLIC.
     set(zeek_fuzzer_shared_access PUBLIC)
 endif ()
 
+# Set ZEEK_CONFIG_SKIP_VERSION_H for our main in-source targets.
+foreach (name zeek_exe zeek_lib zeek_fuzzer_shared)
+    if (TARGET ${name})
+        target_compile_definitions(${name} PRIVATE ZEEK_CONFIG_SKIP_VERSION_H)
+    endif ()
+endforeach ()
+
 # Convenience function for adding library dependencies to the main target(s).
-function(zeek_target_link_libraries lib_target)
+function (zeek_target_link_libraries lib_target)
     foreach (name zeek_exe zeek_lib zeek_fuzzer_shared)
         if (TARGET ${name})
             target_link_libraries(${name} ${${name}_access} ${lib_target})
         endif ()
-    endforeach()
-endfunction()
+    endforeach ()
+endfunction ()
 
-function(zeek_include_directories)
+function (zeek_include_directories)
     foreach (name zeek_exe zeek_lib zeek_fuzzer_shared)
         if (TARGET ${name})
             target_include_directories(${name} ${${name}_access} ${ARGN})
@@ -204,53 +268,39 @@ function(zeek_include_directories)
 endfunction ()
 
 # Convenience function for adding a dependency to the main target(s).
-function(zeek_add_dependencies dep)
+function (zeek_add_dependencies dep)
     foreach (name zeek_exe zeek_lib zeek_fuzzer_shared)
         if (TARGET ${name})
             add_dependencies(${name} ${dep})
         endif ()
-    endforeach()
-endfunction()
+    endforeach ()
+endfunction ()
 
 # Interface library for propagating extra flags and include paths to dynamically
 # loaded plugins. Also propagates include paths and C++17 mode on the install
 # interface.
 add_library(zeek_dynamic_plugin_base INTERFACE)
-target_link_libraries(zeek_dynamic_plugin_base
-    INTERFACE
-        $<BUILD_INTERFACE:zeek_internal>)
-target_include_directories(zeek_dynamic_plugin_base
-    INTERFACE
-        $<INSTALL_INTERFACE:include>
-        $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
-        $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/src>)
+target_include_directories(
+    zeek_dynamic_plugin_base
+    INTERFACE $<INSTALL_INTERFACE:include> $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
+              $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/src>)
 target_compile_features(zeek_dynamic_plugin_base INTERFACE ${ZEEK_CXX_STD})
 add_library(Zeek::DynamicPluginBase ALIAS zeek_dynamic_plugin_base)
-set_target_properties(
-    zeek_dynamic_plugin_base PROPERTIES
-    EXPORT_NAME DynamicPluginBase)
+set_target_properties(zeek_dynamic_plugin_base PROPERTIES EXPORT_NAME DynamicPluginBase)
 install(TARGETS zeek_dynamic_plugin_base EXPORT ZeekTargets)
 
 # On macOS, we need to tell the linker that the modules are allowed to have
 # undefined symbols.
 if (CMAKE_SYSTEM_NAME MATCHES "Darwin")
-    target_link_options(
-        zeek_dynamic_plugin_base
-        INTERFACE
-            -undefined
-            dynamic_lookup
-            -Wl,-bind_at_load)
+    target_link_options(zeek_dynamic_plugin_base INTERFACE -undefined dynamic_lookup
+                        -Wl,-bind_at_load)
 endif ()
 
-function(add_zeek_dynamic_plugin_build_interface_include_directories)
-    foreach ( path ${ARGV} )
-        target_include_directories(
-            zeek_dynamic_plugin_base
-            INTERFACE
-                $<BUILD_INTERFACE:${path}>
-        )
+function (add_zeek_dynamic_plugin_build_interface_include_directories)
+    foreach (path ${ARGV})
+        target_include_directories(zeek_dynamic_plugin_base INTERFACE $<BUILD_INTERFACE:${path}>)
     endforeach ()
-endfunction()
+endfunction ()
 
 add_zeek_dynamic_plugin_build_interface_include_directories(
     ${PROJECT_SOURCE_DIR}/src/include
@@ -261,114 +311,93 @@ add_zeek_dynamic_plugin_build_interface_include_directories(
     ${CMAKE_BINARY_DIR}/src
     ${CMAKE_BINARY_DIR}/src/include
     ${CMAKE_BINARY_DIR}/auxil/binpac/lib
-    ${CMAKE_BINARY_DIR}/auxil/broker/include
-)
+    ${CMAKE_BINARY_DIR}/auxil/broker/include)
 
 # Convenience function for adding an OBJECT library that feeds directly into the
 # main target(s).
 #
-# Usage:
-# zeek_add_subdir_library(
-#   <name>
-#   SOURCES ...
-#   [INCLUDE_DIRS ...]
-#   [DEPENDENCIES ...]
-#   [INTERNAL_DEPENDENCIES ...]
-#   [BIFS ...]
-# )
-function(zeek_add_subdir_library name)
+# Usage: zeek_add_subdir_library( <name> SOURCES ... [INCLUDE_DIRS ...]
+# [DEPENDENCIES ...] [INTERNAL_DEPENDENCIES ...] [BIFS ...] )
+function (zeek_add_subdir_library name)
     # Parse arguments.
     set(fn_varargs INCLUDE_DIRS DEPENDENCIES INTERNAL_DEPENDENCIES SOURCES BIFS)
     cmake_parse_arguments(FN_ARGS "" "" "${fn_varargs}" ${ARGN})
     if (NOT FN_ARGS_SOURCES)
         message(FATAL_ERROR "zeek_add_subdir_library called without any SOURCES")
-    endif()
+    endif ()
 
     # Create target and add the sources.
     set(target_name "zeek_${name}_obj")
     add_library(${target_name} OBJECT ${FN_ARGS_SOURCES})
+    target_compile_definitions(${target_name} PRIVATE ZEEK_CONFIG_SKIP_VERSION_H)
     add_dependencies(${target_name} zeek_autogen_files)
     target_link_libraries(${target_name} PRIVATE $<BUILD_INTERFACE:zeek_internal>)
     add_clang_tidy_files(${FN_ARGS_SOURCES})
 
     # Take care of compiling BIFs.
     if (FN_ARGS_BIFS)
-        foreach ( bif ${FN_ARGS_BIFS} )
-              # Generate the target and add the extra dependency.
-              bif_target(${bif})
+        foreach (bif ${FN_ARGS_BIFS})
+            # Generate the target and add the extra dependency.
+            bif_target(${bif})
         endforeach ()
-    endif()
+    endif ()
 
     # Optionally add include directories and extra dependencies.
-    if ( FN_ARGS_INCLUDE_DIRS )
-        target_include_directories(
-            ${target_name}
-            BEFORE
-            PRIVATE
-              ${FN_ARGS_INCLUDE_DIRS})
+    if (FN_ARGS_INCLUDE_DIRS)
+        target_include_directories(${target_name} BEFORE PRIVATE ${FN_ARGS_INCLUDE_DIRS})
     endif ()
-    if ( FN_ARGS_DEPENDENCIES )
+    if (FN_ARGS_DEPENDENCIES)
         target_link_libraries(${target_name} PRIVATE ${FN_ARGS_DEPENDENCIES})
     endif ()
-    if ( FN_ARGS_INTERNAL_DEPENDENCIES )
-         add_dependencies(${target_name} ${FN_ARGS_INTERNAL_DEPENDENCIES})
+    if (FN_ARGS_INTERNAL_DEPENDENCIES)
+        add_dependencies(${target_name} ${FN_ARGS_INTERNAL_DEPENDENCIES})
     endif ()
 
     # Feed into the main Zeek target(s).
     zeek_target_link_libraries(${target_name})
-endfunction()
+endfunction ()
 
-########################################################################
-## Utility function for forcing CMake to re-run if files change on disk.
+# ##############################################################################
+# Utility function for forcing CMake to re-run if files change on disk.
 
-function(zeek_watch_files)
-    set_property(
-        DIRECTORY
-        APPEND
-        PROPERTY CMAKE_CONFIGURE_DEPENDS ${ARGN}
-    )
-endfunction()
+function (zeek_watch_files)
+    set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS ${ARGN})
+endfunction ()
 
-########################################################################
-## Create empty __load__.zeek stubs (override pre-existing ones).
+# ##############################################################################
+# Create empty __load__.zeek stubs (override pre-existing ones).
 
-function(zeek_create_load_script_stubs)
+function (zeek_create_load_script_stubs)
     set(file_comment "# Warning, this is an autogenerated file!\n")
-    foreach ( fpath ${ARGN} )
+    foreach (fpath ${ARGN})
         file(WRITE "${CMAKE_BINARY_DIR}/${fpath}" "${file_comment}")
         zeek_watch_files("${CMAKE_BINARY_DIR}/${fpath}")
     endforeach ()
 endfunction ()
 
 # Note: these files are filled from BifCl.cmake via `file(APPEND ...)`
-zeek_create_load_script_stubs(
-    scripts/builtin-plugins/__load__.zeek
-    scripts/base/bif/plugins/__load__.zeek
-    scripts/base/bif/__load__.zeek
-)
+zeek_create_load_script_stubs(scripts/builtin-plugins/__load__.zeek
+                              scripts/base/bif/plugins/__load__.zeek scripts/base/bif/__load__.zeek)
 
-########################################################################
-## Create empty __all__*.cc stubs (override pre-existing ones).
+# ##############################################################################
+# Create empty __all__*.cc stubs (override pre-existing ones).
 
-function(zeek_create_bif_autogen_stubs)
+function (zeek_create_bif_autogen_stubs)
     set(file_comment "// Warning, this is an autogenerated file!\n")
-    foreach ( fpath ${ARGN} )
+    foreach (fpath ${ARGN})
         file(WRITE "${CMAKE_BINARY_DIR}/${fpath}" "${file_comment}")
         zeek_watch_files("${CMAKE_BINARY_DIR}/${fpath}")
     endforeach ()
 endfunction ()
 
 # Note: these files are filled from BifCl.cmake via `file(APPEND ...)`.
-zeek_create_bif_autogen_stubs(
-    src/__all__.bif.cc
-    src/__all__.bif.init.cc
-    src/__all__.bif.register.cc
-)
+zeek_create_bif_autogen_stubs(src/__all__.bif.cc src/__all__.bif.init.cc
+                              src/__all__.bif.register.cc)
 
-########################################################################
-## Project/Build Configuration
+# ##############################################################################
+# Project/Build Configuration
 
-if ( ZEEK_ENABLE_FUZZERS )
+if (ZEEK_ENABLE_FUZZERS)
     # Fuzzers use shared lib to save disk space, so need -fPIC on everything
     set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 endif ()
@@ -380,15 +409,15 @@ else ()
     add_definitions(-DDOCTEST_CONFIG_DISABLE)
 endif ()
 
-if ( ENABLE_CCACHE )
+if (ENABLE_CCACHE)
     find_program(CCACHE_PROGRAM ccache)
 
-    if ( NOT CCACHE_PROGRAM )
+    if (NOT CCACHE_PROGRAM)
         message(FATAL_ERROR "ccache not found")
     endif ()
 
     message(STATUS "Using ccache: ${CCACHE_PROGRAM}")
-    set(CMAKE_C_COMPILER_LAUNCHER   ${CCACHE_PROGRAM})
+    set(CMAKE_C_COMPILER_LAUNCHER ${CCACHE_PROGRAM})
     set(CMAKE_CXX_COMPILER_LAUNCHER ${CCACHE_PROGRAM})
 endif ()
 
@@ -403,53 +432,59 @@ if (NOT ZEEK_MAN_INSTALL_PATH)
     set(ZEEK_MAN_INSTALL_PATH ${ZEEK_ROOT_DIR}/share/man)
 endif ()
 
-# sanitize the Zeek script install directory into an absolute path
-# (CMake is confused by ~ as a representation of home directory)
-get_filename_component(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_SCRIPT_INSTALL_PATH}
-    ABSOLUTE)
+# sanitize the Zeek script install directory into an absolute path (CMake is
+# confused by ~ as a representation of home directory)
+get_filename_component(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_SCRIPT_INSTALL_PATH} ABSOLUTE)
 
-# A folder for library-like Zeek-specific things: Python modules, Zeek
-# plugins, etc.
+# A folder for library-like Zeek-specific things: Python modules, Zeek plugins,
+# etc.
 set(ZEEK_LIBDIR_PATH ${CMAKE_INSTALL_FULL_LIBDIR}/zeek)
 
 if (NOT ZEEK_PLUGIN_DIR)
-    set(ZEEK_PLUGIN_DIR ${ZEEK_LIBDIR_PATH}/plugins
-        CACHE STRING "Installation path for plugins" FORCE)
-endif()
+    set(ZEEK_PLUGIN_DIR ${ZEEK_LIBDIR_PATH}/plugins CACHE STRING "Installation path for plugins"
+                                                          FORCE)
+endif ()
 
 set(cmake_binary_dir "${CMAKE_BINARY_DIR}")
 set(cmake_current_binary_dir "${CMAKE_CURRENT_BINARY_DIR}")
 set(cmake_install_prefix "${CMAKE_INSTALL_PREFIX}")
 set(cmake_source_dir "${CMAKE_SOURCE_DIR}")
 set(zeek_script_install_path "${ZEEK_SCRIPT_INSTALL_PATH}")
-if ( MSVC )
+if (MSVC)
+    # This has to happen before we modify the paths below so that the pure Windows
+    # paths are stored in the output file.
+    configure_file(zeek-path-dev.bat.in ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.bat)
+
     string(REGEX REPLACE "^([A-Za-z]):/(.*)" "/\\1/\\2" cmake_binary_dir "${cmake_binary_dir}")
-    string(REGEX REPLACE "^([A-Za-z]):/(.*)" "/\\1/\\2" cmake_current_binary_dir "${cmake_current_binary_dir}")
-    string(REGEX REPLACE "^([A-Za-z]):/(.*)" "/\\1/\\2" cmake_install_prefix "${cmake_install_prefix}")
+    string(REGEX REPLACE "^([A-Za-z]):/(.*)" "/\\1/\\2" cmake_current_binary_dir
+                         "${cmake_current_binary_dir}")
+    string(REGEX REPLACE "^([A-Za-z]):/(.*)" "/\\1/\\2" cmake_install_prefix
+                         "${cmake_install_prefix}")
     string(REGEX REPLACE "^([A-Za-z]):/(.*)" "/\\1/\\2" cmake_source_dir "${cmake_source_dir}")
-    string(REGEX REPLACE "^([A-Za-z]):/(.*)" "/\\1/\\2" zeek_script_install_path "${zeek_script_install_path}")
+    string(REGEX REPLACE "^([A-Za-z]):/(.*)" "/\\1/\\2" zeek_script_install_path
+                         "${zeek_script_install_path}")
 endif ()
 
 # Set the path where we install the ZeekConfig.cmake file and related files.
 set(ZEEK_CMAKE_CONFIG_DIR "${CMAKE_INSTALL_PREFIX}/share/zeek/cmake")
 
-if ( NOT ZEEK_ETC_INSTALL_DIR )
+if (NOT ZEEK_ETC_INSTALL_DIR)
     set(ZEEK_ETC_INSTALL_DIR ${ZEEK_ROOT_DIR}/etc)
 endif ()
 
-if ( NOT ZEEK_STATE_DIR )
+if (NOT ZEEK_STATE_DIR)
     set(ZEEK_STATE_DIR ${ZEEK_ROOT_DIR}/var/lib)
 endif ()
 
-if ( NOT ZEEK_SPOOL_DIR )
+if (NOT ZEEK_SPOOL_DIR)
     set(ZEEK_SPOOL_DIR ${ZEEK_ROOT_DIR}/spool)
 endif ()
 
-if ( NOT ZEEK_LOG_DIR )
+if (NOT ZEEK_LOG_DIR)
     set(ZEEK_LOG_DIR ${ZEEK_ROOT_DIR}/logs)
 endif ()
 
-if ( NOT MSVC )
+if (NOT MSVC)
     set(HAVE_SUPERVISOR true)
 endif ()
 
@@ -460,25 +495,30 @@ install(DIRECTORY DESTINATION ${ZEEK_LOG_DIR})
 
 configure_file(zeek-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev)
 
-file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.sh
-     "export ZEEKPATH=`${cmake_binary_dir}/zeek-path-dev`\n"
-     "export ZEEK_PLUGIN_PATH=\"${cmake_binary_dir}/src\":$\{ZEEK_PLUGIN_PATH\}\n"
-     "export PATH=\"${cmake_binary_dir}\":\"${cmake_binary_dir}/src\":\"${cmake_binary_dir}/auxil/spicy/spicy/bin\":\"${cmake_binary_dir}/src/builtin-plugins/spicy-plugin/bin\":$\{PATH\}\n"
-     "export SPICY_PATH=`${cmake_binary_dir}/spicy-path`\n"
-     "export HILTI_CXX_INCLUDE_DIRS=`${cmake_binary_dir}/hilti-cxx-include-dirs`\n")
+file(
+    WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.sh
+    "export ZEEKPATH=`${cmake_binary_dir}/zeek-path-dev`\n"
+    "export ZEEK_PLUGIN_PATH=\"${cmake_binary_dir}/src\":$\{ZEEK_PLUGIN_PATH\}\n"
+    "export PATH=\"${cmake_binary_dir}\":\"${cmake_binary_dir}/src\":\"${cmake_binary_dir}/auxil/spicy/bin\":\"${cmake_binary_dir}/src/spicy/spicyz\":$\{PATH\}\n"
+    "export SPICY_PATH=`${cmake_binary_dir}/spicy-path`\n"
+    "export HILTI_CXX_INCLUDE_DIRS=`${cmake_binary_dir}/hilti-cxx-include-dirs`\n"
+    "export ZEEK_SPICY_LIBRARY_PATH=${cmake_source_dir}/scripts/spicy\n")
 
-file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.csh
-     "setenv ZEEKPATH `${cmake_binary_dir}/zeek-path-dev`\n"
-     "setenv ZEEK_PLUGIN_PATH \"${cmake_binary_dir}/src\":$\{ZEEK_PLUGIN_PATH\}\n"
-     "setenv PATH \"${cmake_binary_dir}\":\"${cmake_binary_dir}/src\":\"${cmake_binary_dir}/auxil/spicy/spicy/bin\":\"${cmake_binary_dir}/src/builtin-plugins/spicy-plugin/bin\":$\{PATH\}\n"
-     "setenv SPICY_PATH \"`${cmake_binary_dir}/spicy-path`\"\n"
-     "setenv HILTI_CXX_INCLUDE_DIRS \"`${cmake_binary_dir}/hilti-cxx-include-dirs`\"\n")
+file(
+    WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.csh
+    "setenv ZEEKPATH `${cmake_binary_dir}/zeek-path-dev`\n"
+    "setenv ZEEK_PLUGIN_PATH \"${cmake_binary_dir}/src\":$\{ZEEK_PLUGIN_PATH\}\n"
+    "setenv PATH \"${cmake_binary_dir}\":\"${cmake_binary_dir}/src\":\"${cmake_binary_dir}/auxil/spicy/bin\":\"${cmake_binary_dir}/src/spicy/spicyz\":$\{PATH\}\n"
+    "setenv SPICY_PATH \"`${cmake_binary_dir}/spicy-path`\"\n"
+    "setenv HILTI_CXX_INCLUDE_DIRS \"`${cmake_binary_dir}/hilti-cxx-include-dirs`\"\n"
+    "setenv ZEEK_SPICY_LIBRARY_PATH \"${cmake_source_dir}/scripts/spicy\"\n")
 
 file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
-execute_process(COMMAND grep "^constexpr int PLUGIN_API_VERSION"
-                INPUT_FILE ${CMAKE_CURRENT_SOURCE_DIR}/src/plugin/Plugin.h
-                OUTPUT_VARIABLE API_VERSION
-                OUTPUT_STRIP_TRAILING_WHITESPACE)
+execute_process(
+    COMMAND grep "^constexpr int PLUGIN_API_VERSION"
+    INPUT_FILE ${CMAKE_CURRENT_SOURCE_DIR}/src/plugin/Plugin.h
+    OUTPUT_VARIABLE API_VERSION
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
 
 string(REGEX MATCH "^constexpr int PLUGIN_API_VERSION = ([0-9]+);" API_VERSION "${API_VERSION}")
 set(API_VERSION "${CMAKE_MATCH_1}")
@@ -496,15 +536,16 @@ set(VERSION_C_IDENT "${VERSION}_plugin_${API_VERSION}")
 string(REGEX REPLACE "-[0-9]*$" "_git" VERSION_C_IDENT "${VERSION_C_IDENT}")
 string(REGEX REPLACE "[^a-zA-Z0-9_\$]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}")
 
-if(ENABLE_DEBUG)
+if (ENABLE_DEBUG)
     set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
     target_compile_definitions(zeek_internal INTERFACE DEBUG)
     target_compile_definitions(zeek_dynamic_plugin_base INTERFACE DEBUG)
-endif()
+endif ()
 
-if ( NOT BINARY_PACKAGING_MODE )
-    macro(_make_install_dir_symlink _target _link)
-      install(CODE "
+if (NOT BINARY_PACKAGING_MODE)
+    macro (_make_install_dir_symlink _target _link)
+        install(
+            CODE "
         if ( \"\$ENV{DESTDIR}\" STREQUAL \"\" )
           if ( EXISTS \"${_target}\" AND NOT EXISTS \"${_link}\" )
             message(STATUS \"WARNING: installed ${_link} as symlink to ${_target}\")
@@ -513,84 +554,91 @@ if ( NOT BINARY_PACKAGING_MODE )
           endif ()
         endif ()
       ")
-    endmacro()
+    endmacro ()
 
-    if ( "${CMAKE_INSTALL_PREFIX}" STREQUAL "/usr/local/zeek" )
-        # If we're installing into the default prefix, check if the
-        # old default prefix already exists and symlink to it.
-        # This is done to help keep custom user configuration/installation
-        # if they're upgrading from a version before Zeek 3.0.
+    if ("${CMAKE_INSTALL_PREFIX}" STREQUAL "/usr/local/zeek")
+        # If we're installing into the default prefix, check if the old default
+        # prefix already exists and symlink to it. This is done to help keep custom
+        # user configuration/installation if they're upgrading from a version before
+        # Zeek 3.0.
         _make_install_dir_symlink("/usr/local/bro" "/usr/local/zeek")
     endif ()
 
-    # Check whether we need to symlink directories used by versions
-    # before Zeek 3.0.
-    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/include/bro" "${CMAKE_INSTALL_PREFIX}/include/zeek")
-    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/share/bro" "${CMAKE_INSTALL_PREFIX}/share/zeek")
+    # Check whether we need to symlink directories used by versions before Zeek
+    # 3.0.
+    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/include/bro"
+                              "${CMAKE_INSTALL_PREFIX}/include/zeek")
+    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/share/bro"
+                              "${CMAKE_INSTALL_PREFIX}/share/zeek")
     _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/lib/bro" "${CMAKE_INSTALL_FULL_LIBDIR}/zeek")
 endif ()
 
-if ( ZEEK_SANITIZERS )
+if (ZEEK_SANITIZERS)
     # Check the thread library info early as setting compiler flags seems to
-    # interfere with the detection and cause CMAKE_THREAD_LIBS_INIT to not
-    # include -lpthread when it should.
+    # interfere with the detection and cause CMAKE_THREAD_LIBS_INIT to not include
+    # -lpthread when it should.
     find_package(Threads)
 
     string(REPLACE "," " " _sanitizer_args "${ZEEK_SANITIZERS}")
     separate_arguments(_sanitizer_args)
     set(ZEEK_SANITIZERS "")
 
-    foreach ( _sanitizer ${_sanitizer_args} )
-        if ( ZEEK_SANITIZERS )
+    foreach (_sanitizer ${_sanitizer_args})
+        if (ZEEK_SANITIZERS)
             set(ZEEK_SANITIZERS "${ZEEK_SANITIZERS},")
         endif ()
 
-        if ( _sanitizer STREQUAL "thread" )
+        if (_sanitizer STREQUAL "thread")
             set(ZEEK_TSAN true)
         endif ()
 
-        if ( NOT _sanitizer STREQUAL "undefined" )
+        if (NOT _sanitizer STREQUAL "undefined")
             set(ZEEK_SANITIZERS "${ZEEK_SANITIZERS}${_sanitizer}")
             continue()
         endif ()
 
-        if ( NOT DEFINED ZEEK_SANITIZER_UB_CHECKS )
-            if ( DEFINED ENV{ZEEK_TAILORED_UB_CHECKS} )
+        if (NOT DEFINED ZEEK_SANITIZER_UB_CHECKS)
+            if (DEFINED ENV{ZEEK_TAILORED_UB_CHECKS})
                 # list(APPEND _check_list "alignment") # TODO: fix associated errors
                 list(APPEND _check_list "bool")
                 # list(APPEND _check_list "builtin") # Not implemented in older GCCs
-                list(APPEND _check_list "bounds") # Covers both array/local bounds options below
+                list(APPEND _check_list "bounds") # Covers both array/local bounds
+                                                  # options below
                 # list(APPEND _check_list "array-bounds") # Not implemented by GCC
-                # list(APPEND _check_list "local-bounds") # Not normally part of "undefined"
+                # list(APPEND _check_list "local-bounds") # Not normally part of
+                # "undefined"
                 list(APPEND _check_list "enum")
                 list(APPEND _check_list "float-cast-overflow")
                 list(APPEND _check_list "float-divide-by-zero")
                 # list(APPEND _check_list "function") # Not implemented by GCC
-                # list(APPEND _check_list "implicit-unsigned-integer-truncation") # Not truly UB
-                # list(APPEND _check_list "implicit-signed-integer-truncation") # Not truly UB
-                # list(APPEND _check_list "implicit-integer-sign-change") # Not truly UB
+                # list(APPEND _check_list "implicit-unsigned-integer-truncation") # Not
+                # truly UB list(APPEND _check_list "implicit-signed-integer-truncation")
+                # # Not truly UB list(APPEND _check_list "implicit-integer-sign-change")
+                # # Not truly UB
                 list(APPEND _check_list "integer-divide-by-zero")
                 list(APPEND _check_list "nonnull-attribute")
                 list(APPEND _check_list "null")
-                # list(APPEND _check_list "nullability-arg") # Not normally part of "undefined"
-                # list(APPEND _check_list "nullability-assign") # Not normally part of "undefined"
-                # list(APPEND _check_list "nullability-return") # Not normally part of "undefined"
-                # list(APPEND _check_list "objc-cast") # Not truly UB
-                # list(APPEND _check_list "pointer-overflow") # Not implemented in older GCCs
+                # list(APPEND _check_list "nullability-arg") # Not normally part of
+                # "undefined" list(APPEND _check_list "nullability-assign") # Not
+                # normally part of "undefined" list(APPEND _check_list
+                # "nullability-return") # Not normally part of "undefined" list(APPEND
+                # _check_list "objc-cast") # Not truly UB list(APPEND _check_list
+                # "pointer-overflow") # Not implemented in older GCCs
                 list(APPEND _check_list "return")
                 list(APPEND _check_list "returns-nonnull-attribute")
                 list(APPEND _check_list "shift")
-                # list(APPEND _check_list "unsigned-shift-base") # Not implemented by GCC
+                # list(APPEND _check_list "unsigned-shift-base") # Not implemented by
+                # GCC
                 list(APPEND _check_list "signed-integer-overflow")
                 list(APPEND _check_list "unreachable")
                 # list(APPEND _check_list "unsigned-integer-overflow") # Not truly UB
                 list(APPEND _check_list "vla-bound")
                 list(APPEND _check_list "vptr")
 
-                # Clang complains if this one is defined and the optimizer is set to -O0. We
-                # only set that optimization level if NO_OPTIMIZATIONS is passed, so disable
-                # the option if that's set.
-                if ( NOT DEFINED ENV{NO_OPTIMIZATIONS} )
+                # Clang complains if this one is defined and the optimizer is set to
+                # -O0. We only set that optimization level if NO_OPTIMIZATIONS is
+                # passed, so disable the option if that's set.
+                if (NOT DEFINED ENV{NO_OPTIMIZATIONS})
                     list(APPEND _check_list "object-size")
                 endif ()
 
@@ -606,52 +654,54 @@ if ( ZEEK_SANITIZERS )
 
     set(_sanitizer_flags "-fsanitize=${ZEEK_SANITIZERS}")
 
-    # The linker command used by check_cxx_compiler_flag requires you to also pass the sanitizer to
-    # it or it fails. The best way to do this is to set CMAKE_REQUIRED_LINK_OPTIONS, but save off a
-    # copy of it so it can be reset back to what it was previously afterwards.
+    # The linker command used by check_cxx_compiler_flag requires you to also pass
+    # the sanitizer to it or it fails. The best way to do this is to set
+    # CMAKE_REQUIRED_LINK_OPTIONS, but save off a copy of it so it can be reset
+    # back to what it was previously afterwards.
     set(_temp_link_options ${CMAKE_REQUIRED_LINK_OPTIONS})
     list(APPEND CMAKE_REQUIRED_LINK_OPTIONS ${_sanitizer_flags})
     include(CheckCXXCompilerFlag)
     check_cxx_compiler_flag(${_sanitizer_flags} COMPILER_SUPPORTS_SANITIZERS)
-    if ( NOT COMPILER_SUPPORTS_SANITIZERS )
-      message(FATAL_ERROR "Invalid sanitizer compiler flags: ${_sanitizer_flags}")
-    endif()
+    if (NOT COMPILER_SUPPORTS_SANITIZERS)
+        message(FATAL_ERROR "Invalid sanitizer compiler flags: ${_sanitizer_flags}")
+    endif ()
     set(CMAKE_REQUIRED_LINK_OPTIONS ${_temp_link_options})
 
-    if ( ZEEK_SANITIZER_UB_CHECKS )
-        set(_sanitizer_flags "${_sanitizer_flags} -fno-sanitize-recover=${ZEEK_SANITIZER_UB_CHECKS}")
+    if (ZEEK_SANITIZER_UB_CHECKS)
+        set(_sanitizer_flags
+            "${_sanitizer_flags} -fno-sanitize-recover=${ZEEK_SANITIZER_UB_CHECKS}")
     endif ()
 
     set(_sanitizer_flags "${_sanitizer_flags} -fno-omit-frame-pointer")
     set(_sanitizer_flags "${_sanitizer_flags} -fno-optimize-sibling-calls")
 
-    if ( NOT DEFINED ZEEK_SANITIZER_OPTIMIZATIONS )
-        if ( DEFINED ENV{NO_OPTIMIZATIONS} )
+    if (NOT DEFINED ZEEK_SANITIZER_OPTIMIZATIONS)
+        if (DEFINED ENV{NO_OPTIMIZATIONS})
             # Using -O1 is generally the suggestion to get more reasonable
-            # performance.  The one downside is it that the compiler may
-            # optimize out code that otherwise generates an error/leak in a -O0
-            # build, but that should be rare and users mostly will not be
-            # running unoptimized builds in production anyway.
+            # performance.  The one downside is it that the compiler may optimize out
+            # code that otherwise generates an error/leak in a -O0 build, but that
+            # should be rare and users mostly will not be running unoptimized builds
+            # in production anyway.
             set(ZEEK_SANITIZER_OPTIMIZATIONS false CACHE INTERNAL "" FORCE)
         else ()
             set(ZEEK_SANITIZER_OPTIMIZATIONS true CACHE INTERNAL "" FORCE)
         endif ()
     endif ()
 
-    if ( ZEEK_SANITIZER_OPTIMIZATIONS )
+    if (ZEEK_SANITIZER_OPTIMIZATIONS)
         set(_sanitizer_flags "${_sanitizer_flags} -O1")
     endif ()
 
-    # Technically, the we also need to use the compiler to drive linking and
-    # give the sanitizer flags there, too.  However, CMake, by default, uses
-    # the compiler for linking and so the automatically flags get used.  See
+    # Technically, the we also need to use the compiler to drive linking and give
+    # the sanitizer flags there, too.  However, CMake, by default, uses the
+    # compiler for linking and so the automatically flags get used.  See
     # https://cmake.org/pipermail/cmake/2014-August/058268.html
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${_sanitizer_flags}")
     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${_sanitizer_flags}")
-endif()
+endif ()
 
-########################################################################
-## Dependency Configuration
+# ##############################################################################
+# Dependency Configuration
 
 include(FindRequiredPackage)
 
@@ -671,14 +721,19 @@ FindRequiredPackage(FLEX)
 FindRequiredPackage(BISON)
 FindRequiredPackage(PCAP)
 FindRequiredPackage(OpenSSL)
-if ( NOT MSVC )
+if (NOT MSVC)
     FindRequiredPackage(BIND)
 endif ()
 FindRequiredPackage(ZLIB)
 
+if (NOT BINARY_PACKAGING_MODE)
+    # TODO: Broker seems to always turn on static libraries. We don't want that for Spicy by default.
+    set(BUILD_SHARED_LIBS yes)
+endif ()
+
 # Forward user-defined hint for OpenSSL to the plugins. Use a cache variable to
-# make sure this variable survives CMake re-runs.
-# Note: This variable is picked up in ZeekPluginConfig.cmake.in.
+# make sure this variable survives CMake re-runs. Note: This variable is picked
+# up in ZeekPluginConfig.cmake.in.
 if (OPENSSL_ROOT_DIR)
     set(ZeekOpenSSLHint "${OPENSSL_ROOT_DIR}" CACHE INTERNAL "" FORCE)
 elseif (DEFINED ENV{OPENSSL_ROOT_DIR})
@@ -686,18 +741,17 @@ elseif (DEFINED ENV{OPENSSL_ROOT_DIR})
 endif ()
 
 # Forward PKG_CONFIG_PATH to the plugins. Use a cache variable to make sure this
-# variable survives CMake re-runs.
-# Note: This variable is picked up in ZeekPluginConfig.cmake.in.
+# variable survives CMake re-runs. Note: This variable is picked up in
+# ZeekPluginConfig.cmake.in.
 if (DEFINED ENV{PKG_CONFIG_PATH})
     set(ZeekPkgConfigPath "$ENV{PKG_CONFIG_PATH}" CACHE INTERNAL "" FORCE)
 endif ()
 
-# Installation directory for the distribution's Python modules. An
-# override via configure's --python-dir wins, specifying a directory
-# explicitly. Next is --python-prefix, which includes a versioned
-# Python folder as the --prefix option in distutils does. Next
-# consider a distutils --home style override via --python-home, and
-# finally default to "zeek/python" in our libdir.
+# Installation directory for the distribution's Python modules. An override via
+# configure's --python-dir wins, specifying a directory explicitly. Next is
+# --python-prefix, which includes a versioned Python folder as the --prefix
+# option in distutils does. Next consider a distutils --home style override via
+# --python-home, and finally default to "zeek/python" in our libdir.
 if (ZEEK_PYTHON_DIR)
     set(py_mod_install_dir ${ZEEK_PYTHON_DIR})
 elseif (ZEEK_PYTHON_PREFIX)
@@ -708,25 +762,25 @@ elseif (ZEEK_PYTHON_HOME)
 else ()
     set(py_mod_install_dir ${ZEEK_LIBDIR_PATH}/python)
 endif ()
-set(PY_MOD_INSTALL_DIR ${py_mod_install_dir}
-    CACHE STRING "Installation path for Python modules" FORCE)
+set(PY_MOD_INSTALL_DIR ${py_mod_install_dir} CACHE STRING "Installation path for Python modules"
+                                                   FORCE)
 
 if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/auxil/binpac/CMakeLists.txt)
 
     set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY})
-    if ( MSVC )
+    if (MSVC)
         set(BUILD_STATIC_BINPAC true)
-    endif()
+    endif ()
 
-    if ( BUILD_STATIC_BINPAC )
-      set(ENABLE_STATIC_ONLY true)
-    endif()
+    if (BUILD_STATIC_BINPAC)
+        set(ENABLE_STATIC_ONLY true)
+    endif ()
 
     add_subdirectory(auxil/binpac)
     set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED})
 
-    # FIXME: avoid hard-coding a path for multi-config generator support.
-    # See the TODO in ZeekPluginConfig.cmake.in.
+    # FIXME: avoid hard-coding a path for multi-config generator support. See the
+    # TODO in ZeekPluginConfig.cmake.in.
     set(BINPAC_EXE_PATH "${CMAKE_BINARY_DIR}/auxil/binpac/src/binpac${CMAKE_EXECUTABLE_SUFFIX}")
 endif ()
 FindRequiredPackage(BinPAC)
@@ -734,22 +788,21 @@ FindRequiredPackage(BinPAC)
 # Add an alias (used by our plugin setup).
 add_executable(Zeek::BinPAC ALIAS binpac)
 
-if ( NOT BIFCL_EXE_PATH )
+if (NOT BIFCL_EXE_PATH)
     add_subdirectory(auxil/bifcl)
     add_executable(Zeek::BifCl ALIAS bifcl)
-    # FIXME: avoid hard-coding a path for multi-config generator support.
-    # See the TODO in ZeekPluginConfig.cmake.in.
+    # FIXME: avoid hard-coding a path for multi-config generator support. See the
+    # TODO in ZeekPluginConfig.cmake.in.
     set(BIFCL_EXE_PATH "${CMAKE_BINARY_DIR}/auxil/bifcl/bifcl${CMAKE_EXECUTABLE_SUFFIX}")
     set(_bifcl_exe_path "included")
-else ( )
+else ()
     add_executable(Zeek::BifCl IMPORTED)
-    set_property(TARGET Zeek::BifCl PROPERTY
-                 IMPORTED_LOCATION "${BIFCL_EXE_PATH}")
+    set_property(TARGET Zeek::BifCl PROPERTY IMPORTED_LOCATION "${BIFCL_EXE_PATH}")
     set(_bifcl_exe_path "BIFCL_EXE_PATH")
 endif ()
 
-if ( NOT GEN_ZAM_EXE_PATH )
-  add_subdirectory(auxil/gen-zam)
+if (NOT GEN_ZAM_EXE_PATH)
+    add_subdirectory(auxil/gen-zam)
 endif ()
 
 if (ENABLE_JEMALLOC)
@@ -757,20 +810,20 @@ if (ENABLE_JEMALLOC)
         if (DEFINED JEMALLOC_ROOT_DIR)
             # Look for jemalloc at a specific path
             find_package(JeMalloc)
-        else()
+        else ()
             # jemalloc is in the base system
             set(JEMALLOC_FOUND true)
-        endif()
-    else()
+        endif ()
+    else ()
         find_package(JeMalloc)
-    endif()
+    endif ()
 
     if (NOT JEMALLOC_FOUND)
         message(FATAL_ERROR "Could not find requested JeMalloc")
-    endif()
+    endif ()
 endif ()
 
-if ( BISON_VERSION AND BISON_VERSION VERSION_LESS 2.5 )
+if (BISON_VERSION AND BISON_VERSION VERSION_LESS 2.5)
     set(MISSING_PREREQS true)
     list(APPEND MISSING_PREREQ_DESCS
          " Could not find prerequisite package Bison >= 2.5, found: ${BISON_VERSION}")
@@ -785,12 +838,12 @@ endif ()
 
 set(ZEEK_PYTHON_MIN 3.5.0)
 
-if ( PYTHON_VERSION_STRING VERSION_LESS ${ZEEK_PYTHON_MIN} )
+if (PYTHON_VERSION_STRING VERSION_LESS ${ZEEK_PYTHON_MIN})
     message(FATAL_ERROR "Python ${ZEEK_PYTHON_MIN} or greater is required.")
 endif ()
 
 add_subdirectory(auxil/paraglob)
-if ( MSVC )
+if (MSVC)
     cmake_policy(SET CMP0079 NEW)
     target_link_libraries(paraglob shlwapi)
     set(BROKER_DISABLE_TOOLS true)
@@ -798,120 +851,94 @@ endif ()
 set(zeekdeps ${zeekdeps} paraglob)
 
 # Note: Broker gets some special attention in ZeekConfig.cmake.in.
-if ( Broker_ROOT )
-  find_package(Broker REQUIRED CONFIG)
-  list(APPEND zeekdeps ${BROKER_LIBRARY})
-  set(broker_includes ${BROKER_INCLUDE_DIR})
-  set(ZEEK_HAS_EXTERNAL_BROKER ON)
-  set(ZEEK_HAS_STATIC_BROKER OFF)
-else ()
-  if ( ZEEK_SANITIZERS )
-    set(BROKER_SANITIZERS ${ZEEK_SANITIZERS})
-  endif ()
-
-  set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY})
-  if ( MSVC )
-    set(BUILD_STATIC_BROKER true)
-  endif()
-
-  if ( BUILD_STATIC_BROKER )
-    set(ENABLE_STATIC_ONLY true)
-  endif()
-
-  add_subdirectory(auxil/broker)
-  set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED})
-
-  if ( BUILD_STATIC_BROKER )
-      list(APPEND zeekdeps broker_static)
-  else()
-      list(APPEND zeekdeps broker)
-  endif()
-
-  set(
-    broker_includes
-    ${CMAKE_CURRENT_SOURCE_DIR}/auxil/broker/include
-    ${CMAKE_CURRENT_BINARY_DIR}/auxil/broker/include)
-
-  if (BUILD_STATIC_BROKER)
-    set(ZEEK_HAS_STATIC_BROKER ON)
-  else ()
+if (Broker_ROOT)
+    find_package(Broker REQUIRED CONFIG)
+    list(APPEND zeekdeps ${BROKER_LIBRARY})
+    set(broker_includes ${BROKER_INCLUDE_DIR})
+    set(ZEEK_HAS_EXTERNAL_BROKER ON)
     set(ZEEK_HAS_STATIC_BROKER OFF)
-  endif ()
-  set(ZEEK_HAS_EXTERNAL_BROKER OFF)
+else ()
+    if (ZEEK_SANITIZERS)
+        set(BROKER_SANITIZERS ${ZEEK_SANITIZERS})
+    endif ()
 
-  # Tell plugins where to find the Broker CMake package in the source tree.
-  # This variable is picked up in ZeekPluginConfig.cmake.in.
-  set(ZEEK_PLUGIN_BROKER_PATH "${CMAKE_CURRENT_BINARY_DIR}/auxil/broker")
+    set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY})
+    if (MSVC)
+        set(BUILD_STATIC_BROKER true)
+    endif ()
+
+    if (BUILD_STATIC_BROKER)
+        set(ENABLE_STATIC_ONLY true)
+    endif ()
+
+    add_subdirectory(auxil/broker)
+    set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED})
+
+    if (BUILD_STATIC_BROKER)
+        list(APPEND zeekdeps broker_static)
+    else ()
+        list(APPEND zeekdeps broker)
+    endif ()
+
+    set(broker_includes ${CMAKE_CURRENT_SOURCE_DIR}/auxil/broker/include
+                        ${CMAKE_CURRENT_BINARY_DIR}/auxil/broker/include)
+
+    if (BUILD_STATIC_BROKER)
+        set(ZEEK_HAS_STATIC_BROKER ON)
+    else ()
+        set(ZEEK_HAS_STATIC_BROKER OFF)
+    endif ()
+    set(ZEEK_HAS_EXTERNAL_BROKER OFF)
+
+    # Tell plugins where to find the Broker CMake package in the source tree. This
+    # variable is picked up in ZeekPluginConfig.cmake.in.
+    set(ZEEK_PLUGIN_BROKER_PATH "${CMAKE_CURRENT_BINARY_DIR}/auxil/broker")
 endif ()
 
-if ( NOT DISABLE_SPICY )
-    set(USE_SPICY_ANALYZERS yes)
+if (NOT DISABLE_SPICY)
+    if (SPICY_ROOT_DIR)
+        find_package(Spicy REQUIRED) # will set HAVE_SPICY
+        spicy_require_version("1.8.0")
 
-    if ( NOT SPICY_ROOT_DIR )
-        set(HAVE_SPICY yes) # evaluated by Spicy plugin build
+        if (NOT SPICY_HAVE_TOOLCHAIN)
+            message(FATAL_ERROR "Spicy not built with toolchain support")
+        endif ()
+
+        spicy_print_summary()
+    else ()
+        # Spicy needs the full prefix for Flex and Bison while Zeek captures
+        # only the paths to the executables. Derive the prefixes from the
+        # binary paths under the assumption that their bindir is under their
+        # prefix (which also implies that one such prefix even exists).
+        get_filename_component(dir ${FLEX_EXECUTABLE} DIRECTORY ABSOLUTE)
+        set(FLEX_ROOT ${dir}/..)
+
+        get_filename_component(dir ${BISON_EXECUTABLE} DIRECTORY ABSOLUTE)
+        set(BISON_ROOT ${dir}/..)
+
+        # The script generating precompiled headers for Spicy expects a
+        # different build system layout than provided for a bundled Spicy,
+        # disable it.
+        set(HILTI_DEV_PRECOMPILE_HEADERS OFF)
 
         add_subdirectory(auxil/spicy)
+        include(ConfigureSpicyBuild) # set some options different for building Spicy
 
-        # Set variables used by the spicy-plugin build since we are building Spicy
-        # as part of Zeek so spicy-plugin cannot use `spicy-config` at configure
-        # time to set these.
-        set(SPICY_CONFIG "<builtin>")
-        set(SPICY_HAVE_TOOLCHAIN "YES")
-        set(SPICY_INCLUDE_DIRS_RUNTIME
-            ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/hilti/runtime/include
-            ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/spicy/runtime/include
-            ${PROJECT_BINARY_DIR}/auxil/spicy/spicy/include)
-        set(SPICY_INCLUDE_DIRS_TOOLCHAIN
-            ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/hilti/toolchain/include
-            ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/spicy/toolchain/include)
-        set(SPICY_LIBRARY spicy)
-        set(HILTI_LIBRARY_RT hilti-rt)
-        set(HILTI_LIBRARY_RT_DEBUG hilti-rt-debug)
-        set(SPICY_LIBRARY_RT spicy-rt)
-        set(SPICY_LIBRARY_RT_DEBUG spicy-rt-debug)
-
-        # Needed only for logging from CMake configure phase.
-        get_directory_property(
-            SPICY_VERSION
-            DIRECTORY ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy
-            DEFINITION SPICY_VERSION)
-        get_directory_property(
-            SPICY_VERSION_NUMBER
-            DIRECTORY ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy
-            DEFINITION SPICY_VERSION_NUMBER)
-        get_directory_property(
-            SPICY_PREFIX
-            DIRECTORY ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy
-            DEFINITION CMAKE_INSTALL_PREFIX)
-        get_directory_property(
-            SPICY_BUILD_MODE
-            DIRECTORY ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy
-            DEFINITION CMAKE_BUILD_TYPE)
-        set(SPICYC "<bundled>")
+        zeek_add_dependencies(spicy)
+        set(HAVE_SPICY yes)
     endif ()
 
-    if ( NOT SPICY_PLUGIN_PATH )
-        set(_spicy_plugin "included")
-        set(SPICY_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/spicy-plugin)
-    endif ()
-
-    set(SPICY_PLUGIN_BINARY_PATH ${CMAKE_BINARY_DIR}/src/builtin-plugins/spicy-plugin)
-    list(APPEND ZEEK_INCLUDE_PLUGINS ${SPICY_PLUGIN_PATH})
+    set(USE_SPICY_ANALYZERS yes)
 else ()
-    set(HAVE_SPICY no) # evaluated by Spicy plugin build
+    set(HAVE_SPICY no)
     set(USE_SPICY_ANALYZERS no)
 endif ()
 
 set(USE_SPICY_ANALYZERS "${USE_SPICY_ANALYZERS}" CACHE BOOL "Use built-in Spicy analyzers")
 include(BuiltInSpicyAnalyzer)
 
-include_directories(BEFORE
-                    ${PCAP_INCLUDE_DIR}
-                    ${BIND_INCLUDE_DIR}
-                    ${BinPAC_INCLUDE_DIR}
-                    ${ZLIB_INCLUDE_DIR}
-                    ${JEMALLOC_INCLUDE_DIR}
-)
+include_directories(BEFORE ${PCAP_INCLUDE_DIR} ${BIND_INCLUDE_DIR} ${BinPAC_INCLUDE_DIR}
+                    ${ZLIB_INCLUDE_DIR} ${JEMALLOC_INCLUDE_DIR})
 
 install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/rapidjson/include/rapidjson
         DESTINATION include/zeek/3rdparty/rapidjson/include)
@@ -922,10 +949,12 @@ install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/auxil/filesystem/include/ghc
 # Create 3rdparty/ghc within the build directory so that the include for
 # "zeek/3rdparty/ghc/filesystem.hpp" works within the build tree.
 execute_process(COMMAND "${CMAKE_COMMAND}" -E make_directory
-                "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/")
-execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink
-                "${CMAKE_CURRENT_SOURCE_DIR}/auxil/filesystem/include/ghc"
-                "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/ghc")
+                        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/")
+execute_process(
+    COMMAND
+        "${CMAKE_COMMAND}" -E create_symlink
+        "${CMAKE_CURRENT_SOURCE_DIR}/auxil/filesystem/include/ghc"
+        "${CMAKE_CURRENT_BINARY_DIR}/3rdparty/ghc")
 
 # Optional Dependencies
 
@@ -938,23 +967,23 @@ if (LIBMMDB_FOUND)
 endif ()
 
 set(USE_KRB5 false)
-if ( ${CMAKE_SYSTEM_NAME} MATCHES Linux )
-  find_package(LibKrb5)
-  if (LIBKRB5_FOUND)
-     set(USE_KRB5 true)
-     include_directories(BEFORE ${LibKrb5_INCLUDE_DIR})
-     list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
-  endif ()
+if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
+    find_package(LibKrb5)
+    if (LIBKRB5_FOUND)
+        set(USE_KRB5 true)
+        include_directories(BEFORE ${LibKrb5_INCLUDE_DIR})
+        list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
+    endif ()
 endif ()
 
 set(HAVE_PERFTOOLS false)
 set(USE_PERFTOOLS_DEBUG false)
 set(USE_PERFTOOLS_TCMALLOC false)
 
-if ( ENABLE_PERFTOOLS )
-   find_package(GooglePerftools)
+if (ENABLE_PERFTOOLS)
+    find_package(GooglePerftools)
 
-    if ( GOOGLEPERFTOOLS_FOUND OR TCMALLOC_FOUND )
+    if (GOOGLEPERFTOOLS_FOUND OR TCMALLOC_FOUND)
         set(HAVE_PERFTOOLS true)
         set(USE_PERFTOOLS_TCMALLOC true)
 
@@ -967,44 +996,44 @@ if ( ENABLE_PERFTOOLS )
             # Link in tcmalloc.
             list(APPEND OPTLIBS ${GooglePerftools_LIBRARIES})
         endif ()
-    else()
+    else ()
         message(FATAL_ERROR "Could not find requested Google Perftools.")
     endif ()
 endif ()
 
-# Making sure any non-standard OpenSSL includes get searched earlier
-# than other dependencies which tend to be in standard system locations
-# and thus cause the system OpenSSL headers to still be picked up even
-# if one specifies --with-openssl (which may be common).
+# Making sure any non-standard OpenSSL includes get searched earlier than other
+# dependencies which tend to be in standard system locations and thus cause the
+# system OpenSSL headers to still be picked up even if one specifies
+# --with-openssl (which may be common).
 include_directories(BEFORE ${OPENSSL_INCLUDE_DIR})
 
 # Determine if libfts is external to libc, i.e. musl
 find_package(FTS)
-if ( FTS_FOUND )
+if (FTS_FOUND)
     list(APPEND OPTLIBS ${FTS_LIBRARY})
     include_directories(BEFORE ${FTS_INCLUDE_DIR})
 endif ()
 
-# Any headers that are possibly bundled in the Zeek source-tree and that are supposed
-# to have priority over any preexisting/system-wide headers need to appear early in
-# compiler search path.
+# Any headers that are possibly bundled in the Zeek source-tree and that are
+# supposed to have priority over any preexisting/system-wide headers need to
+# appear early in compiler search path.
 include_directories(BEFORE ${broker_includes})
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/auxil/highwayhash)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/auxil/paraglob/include)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/auxil/rapidjson/include)
 
-set(zeekdeps ${zeekdeps}
+set(zeekdeps
+    ${zeekdeps}
     ${BinPAC_LIBRARY}
     ${PCAP_LIBRARY}
     ${OPENSSL_LIBRARIES}
     ${BIND_LIBRARY}
     ${ZLIB_LIBRARY}
     ${JEMALLOC_LIBRARIES}
-    ${OPTLIBS}
-)
+    ${OPTLIBS})
 
-########################################################################
-## System Introspection
+# ##############################################################################
+# System Introspection
 
 include(TestBigEndian)
 test_big_endian(WORDS_BIGENDIAN)
@@ -1025,19 +1054,19 @@ include(FindKqueue)
 include(FindCAres)
 include_directories(BEFORE "auxil/out_ptr/include")
 
-if ( (OPENSSL_VERSION VERSION_EQUAL "1.1.0") OR (OPENSSL_VERSION VERSION_GREATER "1.1.0") )
-  set(ZEEK_HAVE_OPENSSL_1_1 true CACHE INTERNAL "" FORCE)
-endif()
-if ( (OPENSSL_VERSION VERSION_EQUAL "3.0.0") OR (OPENSSL_VERSION VERSION_GREATER "3.0.0") )
-  set(ZEEK_HAVE_OPENSSL_3_0 true CACHE INTERNAL "" FORCE)
-endif()
+if ((OPENSSL_VERSION VERSION_EQUAL "1.1.0") OR (OPENSSL_VERSION VERSION_GREATER "1.1.0"))
+    set(ZEEK_HAVE_OPENSSL_1_1 true CACHE INTERNAL "" FORCE)
+endif ()
+if ((OPENSSL_VERSION VERSION_EQUAL "3.0.0") OR (OPENSSL_VERSION VERSION_GREATER "3.0.0"))
+    set(ZEEK_HAVE_OPENSSL_3_0 true CACHE INTERNAL "" FORCE)
+endif ()
 
 # Tell the plugin code that we're building as part of the main tree.
 set(ZEEK_PLUGIN_INTERNAL_BUILD true CACHE INTERNAL "" FORCE)
 
-if ( ${CMAKE_SYSTEM_NAME} MATCHES Linux )
-    if ( NOT DISABLE_AF_PACKET )
-        if ( NOT AF_PACKET_PLUGIN_PATH )
+if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
+    if (NOT DISABLE_AF_PACKET)
+        if (NOT AF_PACKET_PLUGIN_PATH)
             set(AF_PACKET_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/zeek-af_packet-plugin)
         endif ()
 
@@ -1045,13 +1074,16 @@ if ( ${CMAKE_SYSTEM_NAME} MATCHES Linux )
     endif ()
 endif ()
 
-if ( NOT DISABLE_JAVASCRIPT )
+if (NOT DISABLE_JAVASCRIPT)
     set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${PROJECT_SOURCE_DIR}/auxil/zeekjs/cmake)
     find_package(Nodejs)
 
-    if ( NODEJS_FOUND )
-        if ( ${NODEJS_VERSION} VERSION_LESS "16.13.0" )
-            message(STATUS "Node.js version ${NODEJS_VERSION} is too old, need 16.13 or later. Not enabling JavaScript support.")
+    if (NODEJS_FOUND)
+        if (${NODEJS_VERSION} VERSION_LESS "16.13.0")
+            message(
+                STATUS
+                    "Node.js version ${NODEJS_VERSION} is too old, need 16.13 or later. Not enabling JavaScript support."
+            )
             set(ZEEK_HAVE_JAVASCRIPT no)
         else ()
             set(ZEEKJS_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/zeekjs)
@@ -1065,211 +1097,196 @@ endif ()
 
 set(ZEEK_HAVE_JAVASCRIPT ${ZEEK_HAVE_JAVASCRIPT} CACHE INTERNAL "Zeek has JavaScript support")
 
-set(DEFAULT_ZEEKPATH_PATHS . ${ZEEK_SCRIPT_INSTALL_PATH} ${ZEEK_SCRIPT_INSTALL_PATH}/policy ${ZEEK_SCRIPT_INSTALL_PATH}/site ${ZEEK_SCRIPT_INSTALL_PATH}/builtin-plugins)
-if ( MSVC )
+set(DEFAULT_ZEEKPATH_PATHS
+    . ${ZEEK_SCRIPT_INSTALL_PATH} ${ZEEK_SCRIPT_INSTALL_PATH}/policy
+    ${ZEEK_SCRIPT_INSTALL_PATH}/site ${ZEEK_SCRIPT_INSTALL_PATH}/builtin-plugins)
+if (MSVC)
     list(JOIN DEFAULT_ZEEKPATH_PATHS ";" DEFAULT_ZEEKPATH)
 else ()
     list(JOIN DEFAULT_ZEEKPATH_PATHS ":" DEFAULT_ZEEKPATH)
 endif ()
 
-if ( NOT BINARY_PACKAGING_MODE )
+if (NOT BINARY_PACKAGING_MODE)
     set(ZEEK_DIST ${PROJECT_SOURCE_DIR})
 endif ()
 
-string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER)
-configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-version.h.in
-               ${CMAKE_CURRENT_BINARY_DIR}/zeek-version.h)
-install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-version.h DESTINATION include/zeek)
-configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.h.in
-               ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h)
 include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR})
-install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h DESTINATION include/zeek)
-execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink
-                "."
-                "${CMAKE_CURRENT_BINARY_DIR}/zeek")
+execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink "." "${CMAKE_CURRENT_BINARY_DIR}/zeek")
 
-if ( BinPAC_ROOT_DIR )
-  set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
+if (BinPAC_ROOT_DIR)
+    set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
 else ()
-  set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${ZEEK_ROOT_DIR})
+    set(ZEEK_CONFIG_BINPAC_ROOT_DIR ${ZEEK_ROOT_DIR})
 endif ()
 
-if ( BROKER_ROOT_DIR )
-  set(ZEEK_CONFIG_BROKER_ROOT_DIR ${BROKER_ROOT_DIR})
+if (BROKER_ROOT_DIR)
+    set(ZEEK_CONFIG_BROKER_ROOT_DIR ${BROKER_ROOT_DIR})
 else ()
-  set(ZEEK_CONFIG_BROKER_ROOT_DIR ${ZEEK_ROOT_DIR})
+    set(ZEEK_CONFIG_BROKER_ROOT_DIR ${ZEEK_ROOT_DIR})
 endif ()
 
-if ( PCAP_INCLUDE_DIR )
+if (PCAP_INCLUDE_DIR)
     set(ZEEK_CONFIG_PCAP_INCLUDE_DIR ${PCAP_INCLUDE_DIR})
 endif ()
-if ( ZLIB_INCLUDE_DIR )
+if (ZLIB_INCLUDE_DIR)
     set(ZEEK_CONFIG_ZLIB_INCLUDE_DIR ${ZLIB_INCLUDE_DIR})
 endif ()
-if ( OPENSSL_INCLUDE_DIR )
+if (OPENSSL_INCLUDE_DIR)
     set(ZEEK_CONFIG_OPENSSL_INCLUDE_DIR ${OPENSSL_INCLUDE_DIR})
 endif ()
-if ( LibKrb5_INCLUDE_DIR )
+if (LibKrb5_INCLUDE_DIR)
     set(ZEEK_CONFIG_LibKrb5_INCLUDE_DIR ${LibKrb5_INCLUDE_DIR})
 endif ()
-if ( GooglePerftools_INCLUDE_DIR )
+if (GooglePerftools_INCLUDE_DIR)
     set(ZEEK_CONFIG_GooglePerftools_INCLUDE_DIR ${GooglePerftools_INCLUDE_DIR})
 endif ()
 
 set(ZEEK_CONFIG_BTEST_TOOLS_DIR ${ZEEK_ROOT_DIR}/share/btest)
 install(DIRECTORY DESTINATION ${ZEEK_CONFIG_BTEST_TOOLS_DIR})
 
-configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.in
-               ${CMAKE_CURRENT_BINARY_DIR}/zeek-config @ONLY)
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.in ${CMAKE_CURRENT_BINARY_DIR}/zeek-config
+               @ONLY)
 install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/zeek-config DESTINATION bin)
 
-install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/zeek
-        USE_SOURCE_PERMISSIONS
-        PATTERN ".git" EXCLUDE)
+install(
+    DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake
+    DESTINATION share/zeek
+    USE_SOURCE_PERMISSIONS
+    PATTERN ".git" EXCLUDE)
 
-if ( NOT MSVC )
-  # Install wrapper script for Bro-to-Zeek renaming.
-  include(InstallShellScript)
-  include(InstallSymlink)
+if (NOT MSVC)
+    # Install wrapper script for Bro-to-Zeek renaming.
+    include(InstallShellScript)
+    include(InstallSymlink)
 endif ()
 
-########################################################################
-## zkg configuration
+# ##############################################################################
+# zkg configuration
 
-if ( INSTALL_ZKG )
-    # An etc/zkg directory for zkg's config file simplifies zkg's
-    # config file code.
+if (INSTALL_ZKG)
+    # An etc/zkg directory for zkg's config file simplifies zkg's config file
+    # code.
     set(ZEEK_ZKG_CONFIG_DIR "${ZEEK_ETC_INSTALL_DIR}/zkg")
     set(ZEEK_ZKG_STATE_DIR "${ZEEK_STATE_DIR}/zkg")
 
-    configure_file(
-        ${CMAKE_CURRENT_SOURCE_DIR}/zkg-config.in
-        ${CMAKE_CURRENT_BINARY_DIR}/zkg-config @ONLY)
+    configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zkg-config.in ${CMAKE_CURRENT_BINARY_DIR}/zkg-config
+                   @ONLY)
 
     install(DIRECTORY DESTINATION var/lib/zkg)
-    install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zkg-config
-        DESTINATION ${ZEEK_ZKG_CONFIG_DIR} RENAME config)
+    install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zkg-config DESTINATION ${ZEEK_ZKG_CONFIG_DIR}
+            RENAME config)
 endif ()
 
-########################################################################
-## Look for external plugins to build in
+# ##############################################################################
+# Look for external plugins to build in
 
 string(REPLACE "," " " _build_in_plugins "${ZEEK_INCLUDE_PLUGINS}")
 separate_arguments(_build_in_plugins)
-foreach(plugin_dir ${_build_in_plugins})
-    if ( NOT IS_ABSOLUTE "${plugin_dir}/CMakeLists.txt" )
-      message(FATAL_ERROR "Plugins to build in need to be defined with absolute path! ${plugin_dir}")
-    endif()
+foreach (plugin_dir ${_build_in_plugins})
+    if (NOT IS_ABSOLUTE "${plugin_dir}/CMakeLists.txt")
+        message(
+            FATAL_ERROR "Plugins to build in need to be defined with absolute path! ${plugin_dir}")
+    endif ()
 
-    if ( NOT EXISTS "${plugin_dir}/CMakeLists.txt" )
-      message(FATAL_ERROR "No plugin found at ${plugin_dir}!")
-    endif()
+    if (NOT EXISTS "${plugin_dir}/CMakeLists.txt")
+        message(FATAL_ERROR "No plugin found at ${plugin_dir}!")
+    endif ()
 
     get_filename_component(plugin_name ${plugin_dir} NAME)
 
-    # Create a list of plugin directories that will then be added in the src/CMakeLists.txt
+    # Create a list of plugin directories that will then be added in the
+    # src/CMakeLists.txt
     list(APPEND BUILTIN_PLUGIN_LIST ${plugin_dir})
 
     message(STATUS "  Building in plugin: ${plugin_name} (${plugin_dir})")
 
-    if ( "${ZEEK_BUILTIN_PLUGINS}" STREQUAL "" )
+    if ("${ZEEK_BUILTIN_PLUGINS}" STREQUAL "")
         set(ZEEK_BUILTIN_PLUGINS ${plugin_name})
     else ()
         set(ZEEK_BUILTIN_PLUGINS "${ZEEK_BUILTIN_PLUGINS}, ${plugin_name}")
     endif ()
-endforeach()
+endforeach ()
 
-########################################################################
-## Populate the ZEEK_BUILD_INFO for use in src/version.c.in
+# ##############################################################################
+# Populate the ZEEK_BUILD_INFO for use in src/version.c.in
 
-if ( WIN32 )
-  # Windows installs Python to C:\Python311\python, but doesn't create a version
-  # or symlink to python3. Call python with the script directly since the shebang
-  # in the script won't work here.
-  execute_process(COMMAND "python" "${PROJECT_SOURCE_DIR}/ci/collect-repo-info.py" "${ZEEK_INCLUDE_PLUGINS}"
-                  WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}"
-                  OUTPUT_VARIABLE ZEEK_BUILD_INFO
-                  RESULT_VARIABLE ZEEK_BUILD_INFO_RESULT
-                  OUTPUT_STRIP_TRAILING_WHITESPACE)
-else()
-  execute_process(COMMAND "${PROJECT_SOURCE_DIR}/ci/collect-repo-info.py" "${ZEEK_INCLUDE_PLUGINS}"
-                  WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}"
-                  OUTPUT_VARIABLE ZEEK_BUILD_INFO
-                  RESULT_VARIABLE ZEEK_BUILD_INFO_RESULT
-                  OUTPUT_STRIP_TRAILING_WHITESPACE)
-endif()
+if (WIN32)
+    # Windows installs Python to C:\Python311\python, but doesn't create a version
+    # or symlink to python3. Call python with the script directly since the
+    # shebang in the script won't work here.
+    execute_process(
+        COMMAND "python" "${PROJECT_SOURCE_DIR}/ci/collect-repo-info.py" "${ZEEK_INCLUDE_PLUGINS}"
+        WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}"
+        OUTPUT_VARIABLE ZEEK_BUILD_INFO
+        RESULT_VARIABLE ZEEK_BUILD_INFO_RESULT
+        OUTPUT_STRIP_TRAILING_WHITESPACE)
+else ()
+    execute_process(
+        COMMAND "${PROJECT_SOURCE_DIR}/ci/collect-repo-info.py" "${ZEEK_INCLUDE_PLUGINS}"
+        WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}"
+        OUTPUT_VARIABLE ZEEK_BUILD_INFO
+        RESULT_VARIABLE ZEEK_BUILD_INFO_RESULT
+        OUTPUT_STRIP_TRAILING_WHITESPACE)
+endif ()
 
-if ( NOT ZEEK_BUILD_INFO_RESULT EQUAL "0" )
-  message(FATAL_ERROR "Could not collect repository info")
+if (NOT ZEEK_BUILD_INFO_RESULT EQUAL "0")
+    message(FATAL_ERROR "Could not collect repository info")
 endif ()
 
 # string(JSON ... ) requires CMake 3.19, but then we could do something like:
-# string(JSON ZEEK_BUILD_INFO SET "${ZEEK_BUILD_INFO}"
-#        compile_options cxx_flags "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}")
+# string(JSON ZEEK_BUILD_INFO SET "${ZEEK_BUILD_INFO}" compile_options cxx_flags
+# "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}")
 
-########################################################################
-## Recurse on sub-directories
+# ##############################################################################
+# Recurse on sub-directories
 
 add_subdirectory(src)
 add_subdirectory(scripts)
 add_subdirectory(man)
 add_subdirectory(testing)
 
-include(CheckOptionalBuildSources)
-
-CheckOptionalBuildSources(auxil/btest BTest INSTALL_BTEST)
-CheckOptionalBuildSources(auxil/package-manager ZKG INSTALL_ZKG)
-CheckOptionalBuildSources(auxil/zeekctl   ZeekControl INSTALL_ZEEKCTL)
-CheckOptionalBuildSources(auxil/zeek-aux  Zeek-Aux  INSTALL_AUX_TOOLS)
-CheckOptionalBuildSources(auxil/zeek-archiver ZeekArchiver INSTALL_ZEEK_ARCHIVER)
-CheckOptionalBuildSources(auxil/zeek-client ZeekClient INSTALL_ZEEK_CLIENT)
-
-if ( NOT DISABLE_SPICY )
-    # The `zeek` binary implicitly depends on the driver object file built
-    # as part of `spicy`; make that dependency explicit.
+if (NOT DISABLE_SPICY)
     zeek_add_dependencies(spicyz)
-
-    if ( NOT SPICY_ROOT_DIR )
-        # Make sure we build targets of spicy-plugin after the `spicy` target.
-        add_dependencies(plugin-Zeek-Spicy spicy)
-        add_dependencies(spicyz spicy)
-
-        # Also install spicy-plugin's CMake files into Zeek's global `cmake/` folder.
-        #
-        # NOTE: We do not install spicy-plugin's `FindZeek.cmake` since another
-        # version of this file is already provided by Zeek.
-        install(FILES auxil/spicy-plugin/cmake/ZeekSpicyAnalyzerSupport.cmake
-                      auxil/spicy-plugin/cmake/FindSpicy.cmake
-                DESTINATION share/zeek/cmake)
-    endif ()
 endif ()
 
-# Always generate helper scripts referenced in e.g., `zeek-path-dev.*` so the
-# scripts work in any build configuration. If we do not include Spicy these
-# files have no actual effect.
-#
-# Spicy JIT relies on the path of the current executable to figure out
-# whether it is run from a build or an install tree. This assumption
-# gets broken for e.g., `spicyz` when running from the build tree
-# (probably fixable), and also when JIT'ing directly from a `zeek`
-# invocation (much harder to fix). Instead we generate shell
-# definitions to support running and using Spicy or spicy-plugin
-# functionality in the build tree, including JIT'ing directly from
-# Zeek.
-configure_file(${CMAKE_SOURCE_DIR}/auxil/spicy/spicy-path.in ${CMAKE_BINARY_DIR}/spicy-path @ONLY)
-configure_file(${CMAKE_SOURCE_DIR}/auxil/spicy/hilti-cxx-include-dirs.in ${CMAKE_BINARY_DIR}/hilti-cxx-include-dirs @ONLY)
+include(CheckOptionalBuildSources)
 
-########################################################################
-## Packaging Setup
+checkoptionalbuildsources(auxil/btest BTest INSTALL_BTEST)
+checkoptionalbuildsources(auxil/package-manager ZKG INSTALL_ZKG)
+checkoptionalbuildsources(auxil/zeekctl ZeekControl INSTALL_ZEEKCTL)
+checkoptionalbuildsources(auxil/zeek-aux Zeek-Aux INSTALL_AUX_TOOLS)
+checkoptionalbuildsources(auxil/zeek-archiver ZeekArchiver INSTALL_ZEEK_ARCHIVER)
+checkoptionalbuildsources(auxil/zeek-client ZeekClient INSTALL_ZEEK_CLIENT)
 
-if ( INSTALL_ZEEKCTL OR INSTALL_ZKG OR INSTALL_ZEEK_CLIENT )
+# Generate Spicy helper scripts referenced in e.g., `zeek-path-dev.*`. These
+# set Spicy-side environment variables to run it out of the build directory.
+configure_file(${CMAKE_SOURCE_DIR}/spicy-path.in ${CMAKE_BINARY_DIR}/spicy-path @ONLY)
+configure_file(${CMAKE_SOURCE_DIR}/hilti-cxx-include-dirs.in
+               ${CMAKE_BINARY_DIR}/hilti-cxx-include-dirs @ONLY)
+
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-version.h.in
+               ${CMAKE_CURRENT_BINARY_DIR}/zeek-version.h)
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-version.h DESTINATION include/zeek)
+
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.h.in
+               ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h)
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h DESTINATION include/zeek)
+
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config-paths.h.in
+               ${CMAKE_CURRENT_BINARY_DIR}/zeek-config-paths.h)
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config-paths.h DESTINATION include/zeek)
+
+# ##############################################################################
+# Packaging Setup
+
+if (INSTALL_ZEEKCTL OR INSTALL_ZKG OR INSTALL_ZEEK_CLIENT)
     # CPack RPM Generator may not automatically detect this
     set(CPACK_RPM_PACKAGE_REQUIRES "python >= ${ZEEK_PYTHON_MIN}")
 endif ()
 
-# If this CMake project is a sub-project of another, we will not
-# configure the generic packaging because CPack will fail in the case
-# that the parent project has already configured packaging
+# If this CMake project is a sub-project of another, we will not configure the
+# generic packaging because CPack will fail in the case that the parent project
+# has already configured packaging
 if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}")
     include(ConfigurePackaging)
     ConfigurePackaging(${VERSION})
@@ -1278,22 +1295,18 @@ endif ()
 # Refers back to the "distribution prefix". This is the source tree when
 # referring to Zeek from the build directory and the "share" directory under the
 # install preifx otherwise.
-set(ZEEK_DIST_PREFIX
-    $<BUILD_INTERFACE:${CMAKE_SOURCE_DIR}>
-    $<INSTALL_INTERFACE:${CMAKE_INSTALL_DATAROOTDIR}/foo/bar>)
+set(ZEEK_DIST_PREFIX $<BUILD_INTERFACE:${CMAKE_SOURCE_DIR}>
+                     $<INSTALL_INTERFACE:${CMAKE_INSTALL_DATAROOTDIR}/foo/bar>)
 
 # Generate extra config file for the dynamic plugins.
 configure_file(src/ZeekPluginConfig.cmake.in ZeekPluginConfig.cmake @ONLY)
 
 # Write the CMake package and version files.
 configure_package_config_file(
-  "${CMAKE_CURRENT_SOURCE_DIR}/src/ZeekConfig.cmake.in"
-  "${CMAKE_CURRENT_BINARY_DIR}/ZeekConfig.cmake"
-  INSTALL_DESTINATION "${ZEEK_CMAKE_CONFIG_DIR}")
-write_basic_package_version_file(
-  "${CMAKE_CURRENT_BINARY_DIR}/ZeekConfigVersion.cmake"
-  VERSION ${ZEEK_VERSION_NUMBER}
-  COMPATIBILITY ExactVersion)
+    "${CMAKE_CURRENT_SOURCE_DIR}/src/ZeekConfig.cmake.in"
+    "${CMAKE_CURRENT_BINARY_DIR}/ZeekConfig.cmake" INSTALL_DESTINATION "${ZEEK_CMAKE_CONFIG_DIR}")
+write_basic_package_version_file("${CMAKE_CURRENT_BINARY_DIR}/ZeekConfigVersion.cmake"
+                                 VERSION ${ZEEK_VERSION_NUMBER} COMPATIBILITY ExactVersion)
 
 # Write the CMake targets file.
 export(EXPORT ZeekTargets FILE ZeekTargets.cmake NAMESPACE Zeek::)
@@ -1303,66 +1316,57 @@ configure_file(src/ZeekPluginBootstrap.cmake.in ZeekPluginBootstrap.cmake @ONLY)
 install(FILES "${CMAKE_CURRENT_BINARY_DIR}/ZeekPluginBootstrap.cmake"
         DESTINATION "${ZEEK_CMAKE_CONFIG_DIR}")
 
-install(
-  FILES
-    "${CMAKE_CURRENT_BINARY_DIR}/ZeekConfig.cmake"
-    "${CMAKE_CURRENT_BINARY_DIR}/ZeekConfigVersion.cmake"
-  DESTINATION
-    "${ZEEK_CMAKE_CONFIG_DIR}")
+install(FILES "${CMAKE_CURRENT_BINARY_DIR}/ZeekConfig.cmake"
+              "${CMAKE_CURRENT_BINARY_DIR}/ZeekConfigVersion.cmake"
+        DESTINATION "${ZEEK_CMAKE_CONFIG_DIR}")
 
-install(
-  EXPORT ZeekTargets
-  DESTINATION "${ZEEK_CMAKE_CONFIG_DIR}"
-  NAMESPACE Zeek::)
+install(EXPORT ZeekTargets DESTINATION "${ZEEK_CMAKE_CONFIG_DIR}" NAMESPACE Zeek::)
 
-########################################################################
-## Build Summary
+# ##############################################################################
+# Build Summary
 
 if (CMAKE_BUILD_TYPE)
     string(TOUPPER ${CMAKE_BUILD_TYPE} BuildType)
 endif ()
 
-if ( INSTALL_BTEST_PCAPS )
+if (INSTALL_BTEST_PCAPS)
     set(_install_btest_tools_msg "all")
 else ()
     set(_install_btest_tools_msg "no pcaps")
 endif ()
 
 set(_binpac_exe_path "included")
-if ( BINPAC_EXE_PATH )
+if (BINPAC_EXE_PATH)
     set(_binpac_exe_path ${BINPAC_EXE_PATH})
 endif ()
 
 set(_gen_zam_exe_path "included")
-if ( GEN_ZAM_EXE_PATH )
+if (GEN_ZAM_EXE_PATH)
     set(_gen_zam_exe_path ${GEN_ZAM_EXE_PATH})
 endif ()
 
 set(_spicy "included")
-if ( DISABLE_SPICY )
+if (DISABLE_SPICY)
     set(_spicy "disabled")
-elseif ( SPICY_ROOT_DIR )
+elseif (SPICY_ROOT_DIR)
     set(_spicy "external (${SPICY_ROOT_DIR})")
 endif ()
 
-if ( DISABLE_SPICY )
-    set(_spicy_plugin "disabled")
-elseif ( "${_spicy_plugin}" STREQUAL "" )
-    set(_spicy_plugin "external (${SPICY_PLUGIN_PATH})")
-endif ()
-
-if ( ZEEK_LEGACY_ANALYZERS )
+if (ZEEK_LEGACY_ANALYZERS)
     list(JOIN ZEEK_LEGACY_ANALYZERS ", " _legacy_analyzers)
-    set(_legacy_analyzers  "\n          - Using unmaintained legacy analyzers for: ${_legacy_analyzers}")
+    set(_legacy_analyzers
+        "\n          - Using unmaintained legacy analyzers for: ${_legacy_analyzers}")
 endif ()
 
-if ( ZEEK_SKIPPED_ANALYZERS )
+if (ZEEK_SKIPPED_ANALYZERS)
     list(JOIN ZEEK_SKIPPED_ANALYZERS ", " _skipped_analyzers)
     set(_skipped_analyzers "\n          - Skipping analyzers: ${_skipped_analyzers}")
 endif ()
 
-if ( ZEEK_LEGACY_ANALYZERS OR ZEEK_SKIPPED_ANALYZERS )
-    set(_analyzer_warning "\n\n[Warning] Some analyzers are not available due to lack of built-in Spicy support:${_legacy_analyzers}${_skipped_analyzers}")
+if (ZEEK_LEGACY_ANALYZERS OR ZEEK_SKIPPED_ANALYZERS)
+    set(_analyzer_warning
+        "\n\n[Warning] Some analyzers are not available due to lack of Spicy support:${_legacy_analyzers}${_skipped_analyzers}"
+    )
 endif ()
 
 message(
@@ -1379,6 +1383,7 @@ message(
     "\nScript dir:        ${ZEEK_SCRIPT_INSTALL_PATH}"
     "\nSpool dir:         ${ZEEK_SPOOL_DIR}"
     "\nState dir:         ${ZEEK_STATE_DIR}"
+    "\nSpicy modules dir: ${ZEEK_SPICY_MODULE_PATH}"
     "\n"
     "\nDebug mode:        ${ENABLE_DEBUG}"
     "\nUnit tests:        ${ENABLE_ZEEK_UNIT_TESTS}"
@@ -1400,7 +1405,6 @@ message(
     "\nGen-ZAM:           ${_gen_zam_exe_path}"
     "\nzkg:               ${INSTALL_ZKG}"
     "\nSpicy:             ${_spicy}"
-    "\nSpicy plugin:      ${_spicy_plugin}"
     "\nSpicy analyzers:   ${USE_SPICY_ANALYZERS}"
     "\nJavaScript:        ${ZEEK_HAVE_JAVASCRIPT}"
     "\n"
@@ -1415,7 +1419,6 @@ message(
     "\nFuzz Engine:       ${ZEEK_FUZZING_ENGINE}"
     "${_analyzer_warning}"
     "\n"
-    "\n================================================================\n"
-)
+    "\n================================================================\n")
 
 include(UserChangedWarning)
diff --git a/NEWS b/NEWS
index e5f1d11595..b6ca019137 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,24 @@ This document summarizes the most important changes in the current Zeek
 release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as Broker, come with their own ``CHANGES``.)
 
+Zeek 6.1.0
+==========
+
+Breaking Changes
+----------------
+
+New Functionality
+-----------------
+
+Changed Functionality
+---------------------
+
+Removed Functionality
+---------------------
+
+Deprecated Functionality
+------------------------
+
 Zeek 6.0.0
 ==========
 
@@ -28,22 +46,6 @@ Breaking Changes
   come in handy for example when working with tests that compare results against
   log baselines that have not yet been updated.
 
-- The zeek/zeek-config.h header does not provide the macros ZEEK_VERSION and
-  ZEEK_VERSION_NUMBER anymore when compiling builtin plugins. This may affect
-  external plugins included via the configure flag ``--include-plugins``
-  referencing these macros. A suggested update for these plugins is adding
-  the following snippet:
-
-	#if __has_include("zeek/zeek-version.h")
-	#include "zeek/zeek-version.h"
-	#endif
-
-  External plugins that are built out-of-tree, e.g. via ``zkg`` are not
-  affected by this change.
-
-  The main motivation is improved ccache effectiveness for speedier CI and
-  development builds whenever a VERSION bump happens.
-
 - Custom source tarballs require a ``repo-info.json`` file.
 
   Note, should you be using official Zeek release tarballs only, or build
@@ -75,6 +77,11 @@ Breaking Changes
 
 - The IRC_Data analyzer declaration has been moved to protocols/irc/IRC.h.
 
+- The error message returned when using ``bro_init``, ``bro_done``, and
+  ``bro_script_loaded`` events is now removed.  removed. Usage of these events
+  has returned that error during script parsing for a few years, and time has
+  come to finally remove it.
+
 New Functionality
 -----------------
 
@@ -102,6 +109,32 @@ New Functionality
 
   To disable this functionality, pass ``--disable-javascript`` to configure.
 
+- Zeek events now hold network timestamps. For scheduled events, the timestamp
+  represents the network time for which the event was scheduled for, otherwise
+  it is the network time at event creation. A new bif ``current_event_time()``
+  allows to retrieve the current event's network timestamp within the script-layer.
+
+  When Zeek sends events via Broker to other nodes in a cluster, an event's network
+  timestamp is attached to the Broker messages. On a receiving Zeek node executing a
+  handler for a remote event, ``current_event_time()`` returns the network time of
+  the sending node at the time the event was created.
+
+  The Broker level implementation allows to exchange arbitrary event metadata, but
+  Zeek's script and C++ APIs currently only expose network timestamp functionality.
+
+- A new bif ``from_json()`` can be used to parse JSON strings into records.
+
+	type A: record { a: addr; };
+	local p = from_json({\"a\": \"192.168.0.1\"}", A);
+	if ( p$valid )
+		print (p$v as A)
+
+  Implicit conversion from JSON to Zeek types is implemented for bool, int, count,
+  real, interval (number as seconds) and time (number as unix timestamp), port
+  (strings in "80/tcp" notation), patterns, addr, subnet, enum, sets, vectors
+  and records similar to the rules of the input framework. Optional or default
+  record fields are allowed to be missing or null in the input.
+
 - Zeek now provides native "Community ID" support with a new bif called
   ``community_id_v1()``. Two policy scripts ``protocols/conn/community-id-logging``
    and ``frameworks/notice/community-id`` extend the respective logs with a
@@ -112,6 +145,25 @@ New Functionality
   Loading the new policy scripts and using the external zeek-community-id
   plugin at the same time is unsupported.
 
+- ZeekControl is now multi-logger aware. When multiple logger nodes are configured
+  in ZeekControl's node.cfg, by default the log archival logic adds a logger's name
+  as suffix to the rotated file name:
+
+	stats.11:18:57-11:19:00-logger-1.log.gz
+	stats.11:18:57-11:19:00-logger-2.log.gz
+
+  Previously, in a multi-logger setup, individual logger processes would overwrite
+  each other's log files during rotation, causing data loss.
+
+  For setups with a single logger, there's no change in behavior. The naming
+  of the final logs can be customized by providing an alternative
+  ``make-archive-name`` script and using the new ``ZEEK_ARG_LOG_SUFFIX``
+  environment variable.
+
+- A supervisor controlled Zeek cluster is now multi-logger aware. This avoids
+  loggers overwriting each other's log files within a single log-queue directory.
+  By default, a logger's name is appended to the rotated logs by zeek-archiver.
+
 - Introduce a new command-line option ``-V`` / ``--build-info``. It produces
   verbose output in JSON format about the repository state and any included
   plugins.
@@ -127,6 +179,18 @@ New Functionality
 - Add logging metrics for streams (``zeek-log-stream-writes``) and writers
   (``zeek-log-writer-writes-total``).
 
+- Add networking metrics via the telemetry framework. These are enabled
+  when the ``misc/stats`` script is loaded.
+
+	zeek-net-dropped-packets
+	zeek-net-link-packets
+	zeek-net-received-bytes
+	zeek-net-packet-lag-seconds
+	zeek-net-received-packets-total
+
+  Except for lag, metrics originate from the ``get_net_stats()`` bif and are
+  updated through the ``Telemetry::sync()`` hook every 15 seconds by default.
+
 - The DNS analyzer now parses RFC 2535's AD ("authentic data") and CD ("checking
   disabled") flags from DNS requests and responses,  making them available in
   the ``dns_msg`` record provided by many of the ``dns_*`` events. The existing
@@ -191,6 +255,38 @@ New Functionality
   Note: There is no tracking of cluster node connectivity. Thus, there is no guarantee
   that all peerings still exist at the time of these events being raised.
 
+- The IEEE 802.11 packet analyzer gains the ability to parse encapsulated A-MSDU
+  packets, instead of just dropping them. It also gains the ability to properly
+  recognize CCMP-encrypted packets. These encrypted packets are currently
+  dropped to Zeek's inability to do anything with them.
+
+- Add packet analzyers for LLC, SNAP, and Novell 802.3, called from the Ethernet
+  and VLAN analyzers by default.
+
+- Environment variables for the execution of log rotation postprocessors can
+  be set via ``Log::default_rotation_postprocessor_cmd_env``.
+
+- The ``record_field`` record was extended by ``optional`` and ``record_fields()``
+  can now be used to determine the optionality of record fields.
+
+- The ``ip4_hdr`` record was extended by ``DF``, ``MF``, ``offset`` and ``sum``
+  to aid packet-level analysis use-cases.
+
+- Zeek now supports parsing the recently standardized DTLS 1.3. Besides the protocol
+  messages being correctly parsed and raising the typical SSL/TLS events, the biggest
+  visible change is the newly added ``ssl_extension_connection_id`` event.
+
+- The NTP analyzer now recognizes when client and server mode messages disagree
+  with the notion of "originator" and "responder" and flips the connection. This
+  can happen in packet loss or packet re-ordering scenarios. Such connections will
+  have a ``^`` added to their history.
+
+- New bifs for ``ceil()`` and ``log2()`` have been added.
+
+- Seeds for deterministic processing can now also be set through a new environment
+  variable called ``ZEEK_SEED_VALUES``. The format is expected to contain 21
+  positive numbers separated by spaces.
+
 Changed Functionality
 ---------------------
 
@@ -280,6 +376,42 @@ Changed Functionality
 - The ``ignore_checksums`` script variable now reflects the correct value
   when using the ``-C`` command-line flag.
 
+- Support for ARUBA GRE tunnels now covers all of the known protocol type values
+  for those tunnels.
+
+- The vlan field reported by the AF_PACKET packet source is now properly
+  masked to exclude PCP and DEI bits. Previously, these bits were included
+  and could cause invalid vlan values > 4095 to be reported.
+
+- Libpcap based packet source now avoids the 32bit wraparound of link and
+  dropped packet counters as reported by users.
+
+- The `ssl_history` field in ssl.log indicates that the letter `j` is reserved
+  for hello retry requests. However, this logging was never fully implemented;
+  instead, hello retry requests were logged like as a server hello (with the letter
+  `s`). This oversight was fixed, and hello retry requests are now correctly logged.
+
+- When per-connection SMB parser state (read offsets, tree ids, ...) exceeds
+  ``SMB::max_pending_messages`` (default 1000), Zeek discards such per-connection
+  state and raises a new ``smb2_discarded_messages_state()`` event. This event is
+  used to reset script-layer SMB state. This change provides protection against
+  unbounded state growth due to partial or one-sided SMB connections.
+
+  Setting ``SMB::max_pending_messages`` to 0 can be used to switch back to the
+  previous behavior of not discarding state. Setting ``SMB::enable_state_clear``
+  to ``F`` skips the script-layer state clearing logic.
+
+- Fix ``disable_analyzer()`` builtin function crashing when attempting to
+  disable connection's root analyzers.
+
+- Zeek script vectors now support negative indices.
+
+	local v = vector(1, 2, 3);
+	print v[-1];  # prints 3
+
+- Function parameters are rendered by Zeekygen as ``:param x`` rather than just
+  ``:x:``. This allows to group parameters Zeek's documentation.
+
 Removed Functionality
 ---------------------
 
diff --git a/README.md b/README.md
index 85c99f0564..7e44ba6b88 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ Follow us on Twitter at [@zeekurity](https://twitter.com/zeekurity).
 [![Coverage Status](https://coveralls.io/repos/github/zeek/zeek/badge.svg?branch=master)](https://coveralls.io/github/zeek/zeek?branch=master)
 [![Build Status](https://img.shields.io/cirrus/github/zeek/zeek)](https://cirrus-ci.com/github/zeek/zeek)
 
-[![Slack](https://img.shields.io/badge/slack-@zeek-brightgreen.svg?logo=slack)](https://join.slack.com/t/zeekorg/shared_invite/zt-1ev1nr7z4-rEVSsaIzYzFWpdgh2I6ZOg)
+[![Slack](https://img.shields.io/badge/slack-@zeek-brightgreen.svg?logo=slack)](https://zeek.org/slack)
 [![Discourse](https://img.shields.io/discourse/status?server=https%3A%2F%2Fcommunity.zeek.org)](https://community.zeek.org)
 
 </h4>
diff --git a/VERSION b/VERSION
index 4efeadb6c4..982593cc0a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-6.0.0-dev.421
+6.1.0-dev.4
diff --git a/auxil/bifcl b/auxil/bifcl
index b6f138be79..183a0c7fb0 160000
--- a/auxil/bifcl
+++ b/auxil/bifcl
@@ -1 +1 @@
-Subproject commit b6f138be79f7d4408302b1297b0c63092b019773
+Subproject commit 183a0c7fb0e04b843e4a2bafbee44117001228e6
diff --git a/auxil/binpac b/auxil/binpac
index e820c29116..fad1f73222 160000
--- a/auxil/binpac
+++ b/auxil/binpac
@@ -1 +1 @@
-Subproject commit e820c29116a50a18079e783f47b96111eb7b5b0b
+Subproject commit fad1f7322209d93cfa67be3420aecb441a90468b
diff --git a/auxil/broker b/auxil/broker
index 4fc4c31592..3df48de38e 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit 4fc4c31592c4823d675314bc981931de9e246057
+Subproject commit 3df48de38ef75a5d274c2fa59ad3f798a62c6bfc
diff --git a/auxil/btest b/auxil/btest
index f1183514cd..0c3cafb2ed 160000
--- a/auxil/btest
+++ b/auxil/btest
@@ -1 +1 @@
-Subproject commit f1183514cd12468d34cb01b147c8d1859a657c31
+Subproject commit 0c3cafb2ed638f88a446732fa03d90af9bcf796c
diff --git a/auxil/filesystem b/auxil/filesystem
index 3e5b930d96..72a76d774e 160000
--- a/auxil/filesystem
+++ b/auxil/filesystem
@@ -1 +1 @@
-Subproject commit 3e5b930d9690ef6b87dd034916598e0771f8688d
+Subproject commit 72a76d774e4c7c605141fd6d11c33cc211209ed9
diff --git a/auxil/gen-zam b/auxil/gen-zam
index 8534f719a0..16841c9584 160000
--- a/auxil/gen-zam
+++ b/auxil/gen-zam
@@ -1 +1 @@
-Subproject commit 8534f719a0a384769383bbd4ad71c9eb2084823d
+Subproject commit 16841c95849d4d82f239bfb0c46bc217af368da2
diff --git a/auxil/libunistd b/auxil/libunistd
index 8011410a8a..2766a0c45a 160000
--- a/auxil/libunistd
+++ b/auxil/libunistd
@@ -1 +1 @@
-Subproject commit 8011410a8a2ba9b57a544d20efd077f83ecb7eda
+Subproject commit 2766a0c45a6dbcdcf26cd1209a73a13323854961
diff --git a/auxil/package-manager b/auxil/package-manager
index 5ade27d716..e1d8271af1 160000
--- a/auxil/package-manager
+++ b/auxil/package-manager
@@ -1 +1 @@
-Subproject commit 5ade27d716fd65342be592abf277eea114fefaa7
+Subproject commit e1d8271af1f499b3d072c99ae717d2593f551645
diff --git a/auxil/spicy b/auxil/spicy
new file mode 160000
index 0000000000..ec87b43037
--- /dev/null
+++ b/auxil/spicy
@@ -0,0 +1 @@
+Subproject commit ec87b43037dba50648cb93be8940a4db23658905
diff --git a/auxil/spicy-plugin b/auxil/spicy-plugin
deleted file mode 160000
index a618f2ce08..0000000000
--- a/auxil/spicy-plugin
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit a618f2ce0831c311f9bcff5d020b85fc44345221
diff --git a/auxil/spicy/CMakeLists.txt b/auxil/spicy/CMakeLists.txt
deleted file mode 100644
index d5bdd87022..0000000000
--- a/auxil/spicy/CMakeLists.txt
+++ /dev/null
@@ -1,58 +0,0 @@
-# Spicy needs the full prefix for Flex and Bison while Zeek captures only the
-# paths to the executables. Derive the prefixes from the binary paths under the
-# assumption that their bindir is under their prefix (which also implies that
-# one such prefix even exists).
-if ( NOT FLEX_EXECUTABLE )
-   find_package(FLEX REQUIRED)
-endif ()
-get_filename_component(dir ${FLEX_EXECUTABLE} DIRECTORY ABSOLUTE)
-set(FLEX_ROOT ${dir}/..)
-
-if ( NOT BISON_EXECUTABLE )
-   find_package(BISON REQUIRED)
-endif ()
-get_filename_component(dir ${BISON_EXECUTABLE} DIRECTORY ABSOLUTE)
-set(BISON_ROOT ${dir}/..)
-
-if ( NOT BINARY_PACKAGING_MODE )
-   # TODO: Broker seems to always turn on static libraries. We don't want that for Spicy by default.
-   set(BUILD_SHARED_LIBS yes)
-endif ()
-
-# Spicy uses slightly less strict warnings than Zeek proper. Mute a few warnings for Spicy.
-# NOTE: Compiler flags are inherited down the directory tree, so in order to
-# set these flags we do need a customizable subdirectory above the Spicy
-# sources.
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-missing-braces")
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-vla")
-
-# GCC 13 adds a new flag to check whether a symbol changes meaning. Due to an issue in one
-# of the dependencies used by Spicy, this causes Zeek to fail to build on that compiler.
-# Until this is fixed, ignore that warning, but check to to make sure the flag exists first.
-include(CheckCXXCompilerFlag)
-check_cxx_compiler_flag("-Wno-changes-meaning" _has_no_changes_meaning_flag)
-if ( _has_no_changes_meaning_flag )
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-changes-meaning")
-endif ()
-
-# The script generating precompiled headers for Spicy expects a different build
-# system layout than provided for a bundled Spicy, disable it.
-set(HILTI_DEV_PRECOMPILE_HEADERS OFF)
-
-add_subdirectory(spicy)
-
-# Disable Spicy unit test targets.
-#
-# Spicy builds its unit tests as part of `ALL`. They are usually not only
-# uninteresting for us but might cause problems. Since any configuration
-# we do for our unit tests happens through global C++ compiler flags, they
-# would get inherited directly by Spicy which can cause issues, e.g., we set
-# `-DDOCTEST_CONFIG_DISABLE` if `ENABLE_ZEEK_UNIT_TESTS` is false, but Spicy
-# unit test do not anticipate this define being set.
-set_target_properties(
-   hilti-rt-tests
-   hilti-rt-configuration-tests
-   spicy-rt-tests
-   hilti-toolchain-tests
-   spicy-toolchain-tests
-   PROPERTIES EXCLUDE_FROM_ALL TRUE)
diff --git a/auxil/spicy/spicy b/auxil/spicy/spicy
deleted file mode 160000
index 64de5d0ef3..0000000000
--- a/auxil/spicy/spicy
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 64de5d0ef323428452827469f07b0a1da8e65e16
diff --git a/auxil/zeek-af_packet-plugin b/auxil/zeek-af_packet-plugin
index 08935a1b93..acd8e365c6 160000
--- a/auxil/zeek-af_packet-plugin
+++ b/auxil/zeek-af_packet-plugin
@@ -1 +1 @@
-Subproject commit 08935a1b93a2d7710d748737e5e653934977a9cf
+Subproject commit acd8e365c652ea6113b70fbbb1339d42e496819d
diff --git a/auxil/zeek-archiver b/auxil/zeek-archiver
index 2b40a6bafe..e36862b3a6 160000
--- a/auxil/zeek-archiver
+++ b/auxil/zeek-archiver
@@ -1 +1 @@
-Subproject commit 2b40a6bafedbbf3fba16d292fd9fe8ba6e9de1bf
+Subproject commit e36862b3a6e70bf8557885e12e74cbc91507a693
diff --git a/auxil/zeek-aux b/auxil/zeek-aux
index 444a6fbdac..98e5bd2a4c 160000
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@@ -1 +1 @@
-Subproject commit 444a6fbdac555f08fbed43d0786355551641c805
+Subproject commit 98e5bd2a4c6c23f6bc3a70bdfe26d17c084c8ab6
diff --git a/auxil/zeek-client b/auxil/zeek-client
index 0ed55db83d..4b4d4242e6 160000
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@@ -1 +1 @@
-Subproject commit 0ed55db83db06fbc0c74be5f7db2922256e95c14
+Subproject commit 4b4d4242e6ebebe41bee0e3ba262cb453b02f88f
diff --git a/auxil/zeekctl b/auxil/zeekctl
index 633b4b3aaf..01c54f8b38 160000
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@@ -1 +1 @@
-Subproject commit 633b4b3aafebde91cc1ded20b2841113681aa60a
+Subproject commit 01c54f8b385c42ac82553fc8e18b28b22f7be62a
diff --git a/auxil/zeekjs b/auxil/zeekjs
index e4ae24051f..e77634d5f9 160000
--- a/auxil/zeekjs
+++ b/auxil/zeekjs
@@ -1 +1 @@
-Subproject commit e4ae24051f31620e8bd7a93e8516797d6734b6d9
+Subproject commit e77634d5f92db96e66de0c36ddc4d44893306fa7
diff --git a/ci/collect-repo-info.py b/ci/collect-repo-info.py
index 8aa6a49cf5..d8bfc8201e 100755
--- a/ci/collect-repo-info.py
+++ b/ci/collect-repo-info.py
@@ -9,6 +9,7 @@ Example usage:
 """
 
 import argparse
+import copy
 import json
 import logging
 import pathlib
@@ -207,6 +208,11 @@ def main():
 
     info["included_plugins"] = included_plugins_info
 
+    zkg_provides_info = copy.deepcopy(included_plugins_info)
+    # Hardcode the former spicy-plugin so that zkg knows Spicy is available.
+    zkg_provides_info.append({"name": "spicy-plugin", "version": info["version"].split("-")[0]})
+    info["zkg"] = {"provides": zkg_provides_info}
+
     json_str = json.dumps(info, indent=2, sort_keys=True)
     print(json_str)
 
diff --git a/ci/fedora-38/Dockerfile b/ci/fedora-38/Dockerfile
new file mode 100644
index 0000000000..d70df35b24
--- /dev/null
+++ b/ci/fedora-38/Dockerfile
@@ -0,0 +1,32 @@
+FROM fedora:38
+
+# A version field to invalidate Cirrus's build cache when needed, as suggested in
+# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
+ENV DOCKERFILE_VERSION 20230428
+
+RUN dnf -y install \
+    bison \
+    ccache \
+    cmake \
+    diffutils \
+    findutils \
+    flex \
+    gcc \
+    gcc-c++ \
+    git \
+    libpcap-devel \
+    make \
+    nodejs-devel \
+    openssl \
+    openssl-devel \
+    procps-ng \
+    python3 \
+    python3-devel \
+    python3-pip\
+    sqlite \
+    swig \
+    which \
+    zlib-devel \
+  && dnf clean all && rm -rf /var/cache/dnf
+
+RUN pip3 install websockets junit2html
diff --git a/ci/fedora-36/Dockerfile b/ci/fedora-38/Dockerfile~
similarity index 100%
rename from ci/fedora-36/Dockerfile
rename to ci/fedora-38/Dockerfile~
diff --git a/ci/opensuse-tumbleweed/Dockerfile b/ci/opensuse-tumbleweed/Dockerfile
index b4d8cf19c1..635f9af1c5 100644
--- a/ci/opensuse-tumbleweed/Dockerfile
+++ b/ci/opensuse-tumbleweed/Dockerfile
@@ -2,7 +2,11 @@ FROM opensuse/tumbleweed
 
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION 20230330
+ENV DOCKERFILE_VERSION 20230523
+
+# Remove the repo-openh264 repository, it caused intermittent issues
+# and we should not be needing any packages from it.
+RUN zypper modifyrepo --disable repo-openh264 || true
 
 RUN zypper refresh \
  && zypper in -y \
diff --git a/ci/opensuse-tumbleweed/prepare.sh b/ci/opensuse-tumbleweed/prepare.sh
new file mode 100755
index 0000000000..ae8877d060
--- /dev/null
+++ b/ci/opensuse-tumbleweed/prepare.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+zypper refresh
+zypper patch -y --with-update --with-optional
diff --git a/ci/public-ecr-cleanup.sh b/ci/public-ecr-cleanup.sh
new file mode 100755
index 0000000000..7a1f7c809e
--- /dev/null
+++ b/ci/public-ecr-cleanup.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# Script to batch-delete all untagged images from ECR public repositories,
+# defaulting to the zeek/zeek-dev repository.
+# First scans for manifest list images that are referencing other images and
+# deletes them, then deletes all remaining untagged images.
+set -eu
+
+if ! command -v aws >/dev/null; then
+    echo "missing aws command" >&2
+    exit 1
+fi
+
+REGISTRY_ID=${REGISTRY_ID:-103243056077}
+REPOSITORY_NAME=${REPOSITORY_NAME:-zeek-dev}
+BATCH_DELETE_SIZE=${BATCH_DELETE_SIZE:-50}
+
+# Chunk up "$1" into BATCH_DELETE_SIZE entries and batch-delete them at once
+# via aws batch-delete.
+#
+# Expected input looks as follows to keep things simple:
+#
+#    imageDigest=sha256:db6...366
+#    imageDigest=sha256:2ad...9b0
+#
+function batch_delete {
+    while read -r batch; do
+        if [ -z "${batch}" ]; then
+            break
+        fi
+
+        echo "Deleting ${batch}"
+        aws ecr-public batch-delete-image \
+            --registry-id "${REGISTRY_ID}" \
+            --repository-name "${REPOSITORY_NAME}" \
+            --image-ids ${batch}
+
+    done < <(xargs -L ${BATCH_DELETE_SIZE} <<<"$1")
+}
+
+# Find all untagged manifest lists with the following media types:
+#
+#    application/vnd.docker.distribution.manifest.list.v2+json
+#    application/vnd.oci.image.index.v1+json
+#
+# These reference other images, so we need to delete them first as
+# otherwise the referenced images can not be deleted.
+IMAGE_DIGESTS=$(aws ecr-public describe-images \
+    --registry-id "${REGISTRY_ID}" \
+    --repository-name "${REPOSITORY_NAME}" \
+    --query 'imageDetails[?!imageTags && (contains(imageManifestMediaType, `manifest.list.v2`) || contains(imageManifestMediaType, `image.index.v1`))].{imageDigest: join(`=`, [`imageDigest`, imageDigest])}' \
+    --output text)
+
+batch_delete "${IMAGE_DIGESTS}"
+
+# Now find all untagged manifests that are left.
+IMAGE_DIGESTS=$(aws ecr-public describe-images \
+    --registry-id "${REGISTRY_ID}" \
+    --repository-name "${REPOSITORY_NAME}" \
+    --query 'imageDetails[?!imageTags].{imageDigest: join(`=`, [`imageDigest`, imageDigest])}' \
+    --output text)
+
+batch_delete "${IMAGE_DIGESTS}"
diff --git a/ci/windows/test.cmd b/ci/windows/test.cmd
index aae40887d9..5b5ff7329f 100644
--- a/ci/windows/test.cmd
+++ b/ci/windows/test.cmd
@@ -1,7 +1,11 @@
 :: See build.cmd for documentation on this call.
 call "c:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
 
-:: We currently don't have any tests to run on Windows, so this is just commented out.
-:: We'll expand on this later.
-:: cd build
-:: ctest -C release || exit \b 1
+cd build
+
+:: This sets up ZEEKPATH and ZEEK_PLUGIN_PATH
+call zeek-path-dev.bat
+
+:: Only run the unit tests for now. Btest is supported on Windows but a ton
+:: of tests are still failing so it's not worth trying to run it.
+src\zeek --test
diff --git a/cmake b/cmake
index 6f096c3f6d..4e41cdd77f 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 6f096c3f6dcb9f35664cf25a58989bc5d123b995
+Subproject commit 4e41cdd77f0aa617c23f37b4776a1ba5c4ea4ea3
diff --git a/configure b/configure
index b9d9e16cb9..25bde692b6 100755
--- a/configure
+++ b/configure
@@ -12,6 +12,9 @@ command="$0 $*"
 usage="\
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
+  -h, --help                    display this help and exit
+  --show-config                 display the most relevant config parameters of an existing build
+
   Build Options:
     --cmake=PATH                custom path to a CMake binary
     --builddir=DIR              place build files in directory [build]
@@ -101,7 +104,6 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-python-inc=PATH path to Python headers
     --with-python-lib=PATH path to libpython
     --with-spicy=PATH      path to Spicy install root
-    --with-spicy-plugin=PATH path to Spicy plugin source tree
     --with-swig=PATH       path to SWIG executable
 
   Packaging Options (for developers):
@@ -149,42 +151,10 @@ append_cache_entry() {
     CMakeCacheEntries="$CMakeCacheEntries -D $1:$2=$3"
 }
 
-# Function to remove a CMake cache entry definition from the
-# CMakeCacheEntries variable
-#   $1 is the cache entry variable name
-remove_cache_entry() {
-    CMakeCacheEntries="$CMakeCacheEntries -U $1"
-
-    # Even with -U, cmake still warns by default if
-    # added previously with -D.
-    CMakeCacheEntries="$CMakeCacheEntries --no-warn-unused-cli"
-}
-
 # set defaults
 builddir=build
-prefix=/usr/local/zeek
 CMakeCacheEntries=""
 display_cmake=0
-append_cache_entry CMAKE_INSTALL_PREFIX PATH $prefix
-append_cache_entry ZEEK_ROOT_DIR PATH $prefix
-append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek
-append_cache_entry ZEEK_ETC_INSTALL_DIR PATH $prefix/etc
-append_cache_entry ENABLE_DEBUG BOOL false
-append_cache_entry ENABLE_PERFTOOLS BOOL false
-append_cache_entry ENABLE_JEMALLOC BOOL false
-append_cache_entry ENABLE_ZEEK_UNIT_TESTS BOOL true
-append_cache_entry BUILD_SHARED_LIBS BOOL true
-append_cache_entry INSTALL_AUX_TOOLS BOOL true
-append_cache_entry INSTALL_BTEST BOOL true
-append_cache_entry INSTALL_BTEST_PCAPS BOOL true
-append_cache_entry INSTALL_ZEEK_ARCHIVER BOOL true
-append_cache_entry INSTALL_ZEEK_CLIENT BOOL true
-append_cache_entry INSTALL_ZEEKCTL BOOL true
-append_cache_entry INSTALL_ZKG BOOL true
-append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
-append_cache_entry ZEEK_SANITIZERS STRING ""
-append_cache_entry ZEEK_INCLUDE_PLUGINS STRING ""
-append_cache_entry PREALLOCATE_PORT_ARRAY BOOL true
 
 # parse arguments
 while [ $# -ne 0 ]; do
@@ -198,6 +168,14 @@ while [ $# -ne 0 ]; do
             echo "${usage}" 1>&2
             exit 1
             ;;
+        --show-config)
+            if [ ! -f "$builddir/CMakeCache.txt" ]; then
+                echo "Error: no CMake build found under '$builddir'." 1>&2
+                exit 1
+            fi
+            grep -E "^ENABLE_|^ZEEK_|^INSTALL_|^CMAKE_INSTALL_PRE|^CMAKE_C.*_FLAGS|^CMAKE_C.*_COMPILER|^CMAKE_.*_LINKER_FLAGS|^CMAKE_BUILD" "$builddir/CMakeCache.txt" | grep -v ':INTERNAL'
+            exit 0
+            ;;
         -D)
             shift
             if [ $# -eq 0 ]; then
@@ -217,10 +195,6 @@ while [ $# -ne 0 ]; do
             ;;
         --build-type=*)
             append_cache_entry CMAKE_BUILD_TYPE STRING $optarg
-
-            if [ $(echo "$optarg" | tr [:upper:] [:lower:]) = "debug" ]; then
-                append_cache_entry ENABLE_DEBUG BOOL true
-            fi
             ;;
         --generator=*)
             CMakeGenerator="$optarg"
@@ -235,9 +209,7 @@ while [ $# -ne 0 ]; do
             append_cache_entry ZEEK_INCLUDE_PLUGINS STRING \"$optarg\"
             ;;
         --prefix=*)
-            prefix=$optarg
             append_cache_entry CMAKE_INSTALL_PREFIX PATH $optarg
-            append_cache_entry ZEEK_ROOT_DIR PATH $optarg
             ;;
         --libdir=*)
             append_cache_entry CMAKE_INSTALL_LIBDIR PATH $optarg
@@ -405,9 +377,6 @@ while [ $# -ne 0 ]; do
         --with-spicy=*)
             append_cache_entry SPICY_ROOT_DIR PATH $optarg
             ;;
-        --with-spicy-plugin=*)
-            append_cache_entry SPICY_PLUGIN_PATH PATH $optarg
-            ;;
         --with-swig=*)
             append_cache_entry SWIG_EXECUTABLE PATH $optarg
             ;;
@@ -454,14 +423,6 @@ if [ -z "$CMakeCommand" ]; then
     fi
 fi
 
-if [ "$user_set_scriptdir" != "true" ]; then
-    append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek
-fi
-
-if [ "$user_set_conffilesdir" != "true" ]; then
-    append_cache_entry ZEEK_ETC_INSTALL_DIR PATH $prefix/etc
-fi
-
 if [ -d $builddir ]; then
     # If build directory exists, check if it has a CMake cache
     if [ -f $builddir/CMakeCache.txt ]; then
diff --git a/doc b/doc
index 6ccf06f0f6..8a0873c710 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 6ccf06f0f6b0c24f120160aeb05307e4c4a44975
+Subproject commit 8a0873c71095136ef1f611a01bf936f7a2805aed
diff --git a/auxil/spicy/hilti-cxx-include-dirs.in b/hilti-cxx-include-dirs.in
similarity index 74%
rename from auxil/spicy/hilti-cxx-include-dirs.in
rename to hilti-cxx-include-dirs.in
index 6c4a140be9..0bc6a8c33b 100755
--- a/auxil/spicy/hilti-cxx-include-dirs.in
+++ b/hilti-cxx-include-dirs.in
@@ -5,9 +5,9 @@
 # variable `HILTI_CXX_INCLUDE_DIRS`.
 
 # Paths to support compiling Spicy parsers in the build tree.
-PATHS=@CMAKE_SOURCE_DIR@/auxil/spicy/spicy/hilti/runtime/include
-PATHS=$PATHS:@CMAKE_SOURCE_DIR@/auxil/spicy/spicy/spicy/runtime/include
-PATHS=$PATHS:@CMAKE_BINARY_DIR@/auxil/spicy/spicy/include
+PATHS=@CMAKE_SOURCE_DIR@/auxil/spicy/hilti/runtime/include
+PATHS=$PATHS:@CMAKE_SOURCE_DIR@/auxil/spicy/spicy/runtime/include
+PATHS=$PATHS:@CMAKE_BINARY_DIR@/auxil/spicy/include
 
 # Paths to support compiling against a build tree Zeek.
 PATHS=$PATHS:@CMAKE_BINARY_DIR@
diff --git a/man/CMakeLists.txt b/man/CMakeLists.txt
index 6a8a3d1bd9..48caa17846 100644
--- a/man/CMakeLists.txt
+++ b/man/CMakeLists.txt
@@ -1,5 +1,5 @@
-
-install(DIRECTORY . DESTINATION ${ZEEK_MAN_INSTALL_PATH}/man8 FILES_MATCHING
-        PATTERN "*.8"
-)
-
+install(
+    DIRECTORY .
+    DESTINATION ${ZEEK_MAN_INSTALL_PATH}/man8
+    FILES_MATCHING
+    PATTERN "*.8")
diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
index 168eba704b..313877f6e1 100644
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -1,22 +1,22 @@
 include(InstallPackageConfigFile)
 
-install(DIRECTORY ./ DESTINATION ${ZEEK_SCRIPT_INSTALL_PATH} FILES_MATCHING
-        PATTERN "site/local*" EXCLUDE
-        PATTERN "*.zeek"
-        PATTERN "*.sig"
-        PATTERN "*.fp"
-)
+install(
+    DIRECTORY ./
+    DESTINATION ${ZEEK_SCRIPT_INSTALL_PATH}
+    FILES_MATCHING
+    PATTERN "site/local*" EXCLUDE
+    PATTERN "*.zeek"
+    PATTERN "*.sig"
+    PATTERN "*.fp")
 
-# Install local script as a config file since it's meant to be modified directly.
-InstallPackageConfigFile(
-    ${CMAKE_CURRENT_SOURCE_DIR}/site/local.zeek
-    ${ZEEK_SCRIPT_INSTALL_PATH}/site
-    local.zeek)
+# Install local script as a config file since it's meant to be modified
+# directly.
+InstallPackageConfigFile(${CMAKE_CURRENT_SOURCE_DIR}/site/local.zeek
+                         ${ZEEK_SCRIPT_INSTALL_PATH}/site local.zeek)
 
 # Substitute values in templated script files, and install them.
-configure_file(
-    ${CMAKE_CURRENT_SOURCE_DIR}/base/misc/installation.zeek.in
-    ${CMAKE_CURRENT_BINARY_DIR}/base/misc/installation.zeek @ONLY)
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/base/misc/installation.zeek.in
+               ${CMAKE_CURRENT_BINARY_DIR}/base/misc/installation.zeek @ONLY)
 
 install(FILES ${CMAKE_CURRENT_BINARY_DIR}/base/misc/installation.zeek
-    DESTINATION ${ZEEK_SCRIPT_INSTALL_PATH}/base/misc)
+        DESTINATION ${ZEEK_SCRIPT_INSTALL_PATH}/base/misc)
diff --git a/scripts/base/frameworks/cluster/main.zeek b/scripts/base/frameworks/cluster/main.zeek
index ee2cf71681..495885c431 100644
--- a/scripts/base/frameworks/cluster/main.zeek
+++ b/scripts/base/frameworks/cluster/main.zeek
@@ -318,7 +318,7 @@ function Cluster::get_node_count(node_type: NodeType): count
 
 function Cluster::get_active_node_count(node_type: NodeType): count
 	{
-	return |active_node_ids[node_type]|;
+	return node_type in active_node_ids ? |active_node_ids[node_type]| : 0;
 	}
 
 function is_enabled(): bool
@@ -377,7 +377,7 @@ event Cluster::hello(name: string, id: string) &priority=10
 
 @pragma push ignore-deprecations
 	if ( n$node_type == WORKER )
-		worker_count = |active_node_ids[WORKER]|;
+		worker_count = get_active_node_count(WORKER);
 @pragma pop ignore-deprecations
 	}
 
@@ -402,7 +402,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=1
 
 @pragma push ignore-deprecations
 			if ( n$node_type == WORKER )
-				worker_count = |active_node_ids[WORKER]|;
+				worker_count = get_active_node_count(WORKER);
 @pragma pop ignore-deprecations
 
 			event Cluster::node_down(node_name, endpoint$id);
diff --git a/scripts/base/frameworks/cluster/nodes/logger.zeek b/scripts/base/frameworks/cluster/nodes/logger.zeek
index 1021cee100..9dedac27a0 100644
--- a/scripts/base/frameworks/cluster/nodes/logger.zeek
+++ b/scripts/base/frameworks/cluster/nodes/logger.zeek
@@ -22,6 +22,32 @@ redef Log::default_rotation_interval = 1 hrs;
 ## Alarm summary mail interval.
 redef Log::default_mail_alarms_interval = 24 hrs;
 
+## Generic log metadata rendered into the filename that zeek-archiver may interpret.
+## This is populated with a log_suffix entry within zeek_init() when multiple
+## logger nodes are defined in cluster-layout.zeek.
+global log_metadata: table[string] of string;
+
+## Encode the given table as zeek-archiver understood metadata part.
+function encode_log_metadata(tbl: table[string] of string): string
+	{
+	local metadata_vec: vector of string;
+	for ( k, v in log_metadata )
+		{
+		if ( |v| == 0 )  # Assume concious decision to skip this entry.
+			next;
+
+		if ( /[,=]/ in k || /[,=]/ in v )
+			{
+			Reporter::warning(fmt("Invalid log_metadata: k='%s' v='%s'", k, v));
+			next;
+			}
+
+		metadata_vec += fmt("%s=%s", strip(k), strip(v));
+		}
+
+	return join_string_vec(metadata_vec, ",");
+	}
+
 ## This function will rotate logs in a format compatible with zeek-archiver.
 ## If you're using the Supervisor framework, this function will be used,
 ## if not, you can set :zeek:see:`Log::rotation_format_func` to this function.
@@ -30,6 +56,10 @@ function archiver_rotation_format_func(ri: Log::RotationFmtInfo): Log::RotationP
 	local open_str = strftime(Log::default_rotation_date_format, ri$open);
 	local close_str = strftime(Log::default_rotation_date_format, ri$close);
 	local base = fmt("%s__%s__%s__", ri$path, open_str, close_str);
+
+	if ( |log_metadata| > 0 )
+		base = fmt("%s%s__", base, encode_log_metadata(log_metadata));
+
 	local rval = Log::RotationPath($file_basename=base);
 	return rval;
 	}
@@ -42,6 +72,14 @@ redef Log::rotation_format_func = archiver_rotation_format_func;
 
 redef LogAscii::enable_leftover_log_rotation = T;
 
+event zeek_init()
+	{
+	if ( "log_suffix" in log_metadata )
+		return;
+
+	if ( Cluster::get_node_count(Cluster::LOGGER) > 1 )
+		log_metadata["log_suffix"] = Cluster::node;
+	}
 @else
 
 ## Use the cluster's archive logging script.
diff --git a/scripts/base/frameworks/files/main.zeek b/scripts/base/frameworks/files/main.zeek
index 7dc6667185..baefdfeecb 100644
--- a/scripts/base/frameworks/files/main.zeek
+++ b/scripts/base/frameworks/files/main.zeek
@@ -510,11 +510,19 @@ function describe(f: fa_file): string
 	return handler$describe(f);
 	}
 
+# Only warn once about un-registered get_file_handle()
+global missing_get_file_handle_warned: table[Files::Tag] of bool &default=F;
+
 event get_file_handle(tag: Files::Tag, c: connection, is_orig: bool) &priority=5
 	{
 	if ( tag !in registered_protocols )
 		{
-		Reporter::warning(fmt("get_file_handle() invoked for %s", tag));
+		if ( ! missing_get_file_handle_warned[tag] )
+			{
+			missing_get_file_handle_warned[tag] = T;
+			Reporter::warning(fmt("get_file_handle() handler missing for %s", tag));
+			}
+
 		set_file_handle(fmt("%s-fallback-%s-%s-%s", tag, c$uid, is_orig, network_time()));
 		return;
 		}
diff --git a/scripts/base/frameworks/logging/main.zeek b/scripts/base/frameworks/logging/main.zeek
index 4392bddc3a..f901b97e97 100644
--- a/scripts/base/frameworks/logging/main.zeek
+++ b/scripts/base/frameworks/logging/main.zeek
@@ -172,6 +172,14 @@ export {
 	## Default shell command to run on rotated files. Empty for none.
 	const default_rotation_postprocessor_cmd = "" &redef;
 
+	## This table contains environment variables to be used for the
+	## :zeek:see:`Log::default_rotation_postprocessor_cmd` command
+	## when executed via :zeek:see:`Log::run_rotation_postprocessor_cmd`.
+	##
+	## The entries in this table will be prepended with ``ZEEK_ARG_``
+	## as done by :zeek:see:`system_env`.
+	option default_rotation_postprocessor_cmd_env: table[string] of string = {};
+
 	## Specifies the default postprocessor function per writer type.
 	## Entries in this table are initialized by each writer type.
 	const default_rotation_postprocessors: table[Writer] of function(info: RotationInfo) : bool &redef;
@@ -578,6 +586,7 @@ export {
 	##          to postprocess a rotated log file.
 	##
 	## .. zeek:see:: Log::default_rotation_date_format
+	##    Log::default_rotation_postprocessor_cmd_env
 	##    Log::default_rotation_postprocessor_cmd
 	##    Log::default_rotation_postprocessors
 	global run_rotation_postprocessor_cmd: function(info: RotationInfo, npath: string) : bool;
@@ -654,8 +663,7 @@ function default_path_func(id: ID, path: string, rec: any) : string
 		return to_lower(id_str);
 	}
 
-# Run post-processor on file. If there isn't any postprocessor defined,
-# we move the file to a nicer name.
+# Run post-processor on file.
 function run_rotation_postprocessor_cmd(info: RotationInfo, npath: string) : bool
 	{
 	local pp_cmd = default_rotation_postprocessor_cmd;
@@ -668,11 +676,15 @@ function run_rotation_postprocessor_cmd(info: RotationInfo, npath: string) : boo
 
 	# The date format is hard-coded here to provide a standardized
 	# script interface.
-	system(fmt("%s %s %s %s %s %d %s",
-               pp_cmd, safe_shell_quote(npath), safe_shell_quote(info$path),
-               strftime("%y-%m-%d_%H.%M.%S", info$open),
-               strftime("%y-%m-%d_%H.%M.%S", info$close),
-               info$terminating, writer));
+	#
+	# Note that system_env() does not clear the environment, it only
+	# adds entries from the given table. Unusual, but useful here.
+	system_env(fmt("%s %s %s %s %s %d %s",
+	               pp_cmd, safe_shell_quote(npath), safe_shell_quote(info$path),
+	               strftime("%y-%m-%d_%H.%M.%S", info$open),
+	               strftime("%y-%m-%d_%H.%M.%S", info$close),
+	               info$terminating, writer),
+	           Log::default_rotation_postprocessor_cmd_env);
 
 	return T;
 	}
diff --git a/scripts/base/frameworks/notice/weird.zeek b/scripts/base/frameworks/notice/weird.zeek
index 47a6b6dde0..919f683123 100644
--- a/scripts/base/frameworks/notice/weird.zeek
+++ b/scripts/base/frameworks/notice/weird.zeek
@@ -210,6 +210,7 @@ export {
 		["spontaneous_FIN"]                     = ACTION_IGNORE,
 		["spontaneous_RST"]                     = ACTION_IGNORE,
 		["SMB_parsing_error"]                   = ACTION_LOG,
+		["SMB_discarded_messages_state"]        = ACTION_LOG,
 		["no_smb_session_using_parsesambamsg"]  = ACTION_LOG,
 		["smb_andx_command_failed_to_parse"]    = ACTION_LOG,
 		["smb_tree_connect_andx_response_without_tree"] = ACTION_LOG_PER_CONN,
diff --git a/scripts/base/frameworks/spicy/__load__.zeek b/scripts/base/frameworks/spicy/__load__.zeek
new file mode 100644
index 0000000000..5f39cb27df
--- /dev/null
+++ b/scripts/base/frameworks/spicy/__load__.zeek
@@ -0,0 +1 @@
+@load ./main.zeek
diff --git a/scripts/base/frameworks/spicy/init-bare.zeek b/scripts/base/frameworks/spicy/init-bare.zeek
new file mode 100644
index 0000000000..a9f9d2dbd7
--- /dev/null
+++ b/scripts/base/frameworks/spicy/init-bare.zeek
@@ -0,0 +1,38 @@
+
+module Spicy;
+
+export {
+# doc-options-start
+    ## Constant for testing if Spicy is available.
+    const available = T;
+
+    ## Show output of Spicy print statements.
+    const enable_print = F &redef;
+
+    # Record and display profiling information, if compiled into analyzer.
+    const enable_profiling = F &redef;
+
+    ## abort() instead of throwing HILTI exceptions.
+    const abort_on_exceptions = F &redef;
+
+    ## Include backtraces when reporting unhandled exceptions.
+    const show_backtraces = F &redef;
+
+    ## Maximum depth of recursive file analysis (Spicy analyzers only)
+    const max_file_depth: count = 5 &redef;
+# doc-options-end
+
+# doc-types-start
+    ## Result type for `Spicy::resource_usage()`. The values reflect resource
+    ## usage as reported by the Spicy runtime system.
+    type ResourceUsage: record {
+        user_time : interval;           ##< user CPU time of the Zeek process
+        system_time :interval;          ##< system CPU time of the Zeek process
+        memory_heap : count;            ##< memory allocated on the heap by the Zeek process
+        num_fibers : count;             ##< number of fibers currently in use
+        max_fibers: count;              ##< maximum number of fibers ever in use
+        max_fiber_stack_size: count;    ##< maximum fiber stack size ever in use
+        cached_fibers: count;           ##< number of fibers currently cached
+    };
+# doc-types-end
+}
diff --git a/scripts/base/frameworks/spicy/init-framework.zeek b/scripts/base/frameworks/spicy/init-framework.zeek
new file mode 100644
index 0000000000..886b0f4170
--- /dev/null
+++ b/scripts/base/frameworks/spicy/init-framework.zeek
@@ -0,0 +1,81 @@
+@load base/misc/version
+
+# doc-common-start
+module Spicy;
+
+export {
+# doc-functions-start
+    ## Enable a specific Spicy protocol analyzer if not already active. If this
+    ## analyzer replaces an standard analyzer, that one will automatically be
+    ## disabled.
+    ##
+    ## tag: analyzer to toggle
+    ##
+    ## Returns: true if the operation succeeded
+    global enable_protocol_analyzer: function(tag: Analyzer::Tag) : bool;
+
+    ## Disable a specific Spicy protocol analyzer if not already inactive. If
+    ## this analyzer replaces an standard analyzer, that one will automatically
+    ## be re-enabled.
+    ##
+    ## tag: analyzer to toggle
+    ##
+    ## Returns: true if the operation succeeded
+    global disable_protocol_analyzer: function(tag: Analyzer::Tag) : bool;
+
+
+    ## Enable a specific Spicy file analyzer if not already active. If this
+    ## analyzer replaces an standard analyzer, that one will automatically be
+    ## disabled.
+    ##
+    ## tag: analyzer to toggle
+    ##
+    ## Returns: true if the operation succeeded
+    global enable_file_analyzer: function(tag: Files::Tag) : bool;
+
+    ## Disable a specific Spicy file analyzer if not already inactive. If
+    ## this analyzer replaces an standard analyzer, that one will automatically
+    ## be re-enabled.
+    ##
+    ## tag: analyzer to toggle
+    ##
+    ## Returns: true if the operation succeeded
+    global disable_file_analyzer: function(tag: Files::Tag) : bool;
+
+    ## Returns current resource usage as reported by the Spicy runtime system.
+    global resource_usage: function() : ResourceUsage;
+# doc-functions-end
+}
+
+# Marked with &is_used to suppress complaints when there aren't any
+# Spicy file analyzers loaded, and hence this event can't be generated.
+# The attribute is only supported for Zeek 5.0 and higher.
+event spicy_analyzer_for_mime_type(a: Files::Tag, mt: string) &is_used
+    {
+    Files::register_for_mime_type(a, mt);
+    }
+
+function enable_protocol_analyzer(tag: Analyzer::Tag) : bool
+    {
+    return Spicy::__toggle_analyzer(tag, T);
+    }
+
+function disable_protocol_analyzer(tag: Analyzer::Tag) : bool
+    {
+    return Spicy::__toggle_analyzer(tag, F);
+    }
+
+function enable_file_analyzer(tag: Files::Tag) : bool
+    {
+    return Spicy::__toggle_analyzer(tag, T);
+    }
+
+function disable_file_analyzer(tag: Files::Tag) : bool
+    {
+    return Spicy::__toggle_analyzer(tag, F);
+    }
+
+function resource_usage() : ResourceUsage
+    {
+    return Spicy::__resource_usage();
+    }
diff --git a/scripts/base/frameworks/spicy/main.zeek b/scripts/base/frameworks/spicy/main.zeek
new file mode 100644
index 0000000000..6c7684c47b
--- /dev/null
+++ b/scripts/base/frameworks/spicy/main.zeek
@@ -0,0 +1,15 @@
+@load base/frameworks/notice
+
+module Spicy;
+
+export {
+    redef enum Notice::Type += { Spicy_Max_File_Depth_Exceeded };
+}
+
+event max_file_depth_exceeded(f: fa_file, args: Files::AnalyzerArgs, limit: count)
+    {
+    NOTICE([
+            $note=Spicy::Spicy_Max_File_Depth_Exceeded,
+            $msg=fmt("Maximum file depth exceeded for file %s", f$id)
+    ]);
+    }
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index a02f3e38e7..fb15bea8dd 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -891,6 +891,7 @@ type record_field: record {
 	## :zeek:see:`record_fields` (if it has one).
 	value: any &optional;
 	default_val: any &optional;	##< The value of the :zeek:attr:`&default` attribute if defined.
+	optional: bool;	##< True if the field is :zeek:attr:`&optional`, else false.
 };
 
 ## Table type used to map record field declarations to meta-information
@@ -1093,6 +1094,14 @@ type entropy_test_result: record {
 	serial_correlation: double;	##< Serial correlation coefficient.
 };
 
+## Return type for from_json BIF.
+##
+## .. zeek:see:: from_json
+type from_json_result: record { 
+	v: any &optional;	##< Parsed value.
+	valid: bool;	##< True if parsing was successful.
+};
+
 # TCP values for :zeek:see:`endpoint` *state* field.
 # todo:: these should go into an enum to make them autodoc'able.
 const TCP_INACTIVE = 0;	##< Endpoint is still inactive.
@@ -1731,8 +1740,12 @@ type ip4_hdr: record {
 	tos: count;		##< Type of service.
 	len: count;		##< Total length.
 	id: count;		##< Identification.
+	DF: bool;		##< True if the packet's *don't fragment* flag is set.
+	MF: bool;		##< True if the packet's *more fragments* flag is set.
+	offset: count;		##< Fragment offset.
 	ttl: count;		##< Time to live.
 	p: count;		##< Protocol.
+	sum: count;		##< Checksum.
 	src: addr;		##< Source address.
 	dst: addr;		##< Destination address.
 };
@@ -2983,6 +2996,16 @@ export {
 	##
 	## .. zeek:see:: smb_pipe_connect_heuristic
 	const SMB::pipe_filenames: set[string] &redef;
+
+	## The maximum number of messages for which to retain state
+	## about offsets, fids, or tree ids within the parser. When
+	## the limit is reached, internal parser state is discarded
+	## and :zeek:see:`smb2_discarded_messages_state` raised.
+	##
+	## Setting this to zero will disable the functionality.
+	##
+	## .. zeek:see:: smb2_discarded_messages_state
+	const SMB::max_pending_messages = 1000 &redef;
 }
 
 module SMB1;
@@ -5679,3 +5702,7 @@ event net_done(t: time)
 @endif
 
 @load base/packet-protocols
+
+@if ( have_spicy() )
+@load base/frameworks/spicy/init-bare
+@endif
diff --git a/scripts/base/init-default.zeek b/scripts/base/init-default.zeek
index 5a11969e4e..cbfcca571d 100644
--- a/scripts/base/init-default.zeek
+++ b/scripts/base/init-default.zeek
@@ -44,6 +44,10 @@
 @load base/frameworks/netcontrol
 @load base/frameworks/telemetry
 
+@if ( have_spicy() )
+@load base/frameworks/spicy
+@endif
+
 @load base/protocols/conn
 @load base/protocols/dce-rpc
 @load base/protocols/dhcp
diff --git a/scripts/base/init-frameworks-and-bifs.zeek b/scripts/base/init-frameworks-and-bifs.zeek
index a346f9543c..62330cf593 100644
--- a/scripts/base/init-frameworks-and-bifs.zeek
+++ b/scripts/base/init-frameworks-and-bifs.zeek
@@ -17,6 +17,10 @@
 # Load BiFs defined by plugins.
 @load base/bif/plugins
 
+@if ( have_spicy() )
+@load base/frameworks/spicy/init-framework
+@endif
+
 # This sets up secondary/subdir BIFs such that they can be used by any
 # further scripts within their global initializations and is intended to be
 # the last thing done within this script.  It's called within @if simply so
diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek
index 0dbb22e676..26aebfd95b 100644
--- a/scripts/base/packet-protocols/__load__.zeek
+++ b/scripts/base/packet-protocols/__load__.zeek
@@ -20,6 +20,9 @@
 @load base/packet-protocols/udp
 @load base/packet-protocols/tcp
 @load base/packet-protocols/icmp
+@load base/packet-protocols/llc
+@load base/packet-protocols/novell_802_3
+@load base/packet-protocols/snap
 
 @load base/packet-protocols/gre
 @load base/packet-protocols/iptunnel
diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek
index 7c19b7bfa7..1df6b9a6dc 100644
--- a/scripts/base/packet-protocols/ethernet/main.zeek
+++ b/scripts/base/packet-protocols/ethernet/main.zeek
@@ -1,13 +1,13 @@
 module PacketAnalyzer::ETHERNET;
 
-export {
-	## IEEE 802.2 SNAP analyzer
-	global snap_analyzer: PacketAnalyzer::Tag &redef;
-	## Novell raw IEEE 802.3 analyzer
-	global novell_raw_analyzer: PacketAnalyzer::Tag &redef;
-	## IEEE 802.2 LLC analyzer
-	global llc_analyzer: PacketAnalyzer::Tag &redef;
-}
+export
+	{
+	# We use some magic numbers here to denote these. The values here are outside the range of the
+	# standard ethertypes, which should always be above 1536.
+	const SNAP_FORWARDING_KEY : count = 0x0001;
+	const NOVELL_FORWARDING_KEY : count = 0x0002;
+	const LLC_FORWARDING_KEY : count = 0x0003;
+	}
 
 event zeek_init() &priority=20
 	{
@@ -22,4 +22,11 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8926, PacketAnalyzer::ANALYZER_VNTAG);
+
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, SNAP_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_SNAP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, NOVELL_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_NOVELL_802_3);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, LLC_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_LLC);
 	}
diff --git a/scripts/base/packet-protocols/iptunnel/main.zeek b/scripts/base/packet-protocols/iptunnel/main.zeek
index d219c92522..79204f7084 100644
--- a/scripts/base/packet-protocols/iptunnel/main.zeek
+++ b/scripts/base/packet-protocols/iptunnel/main.zeek
@@ -3,3 +3,34 @@ module PacketAnalyzer::IPTUNNEL;
 export {
 	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
 }
+
+event zeek_init() &priority=20
+	{
+	# ARUBA is dispatched to 802.11. This currently relies on GRE to set
+	# gre_link_type = DLT_IEEE_802_11 as otherwise DLT_RAW is used.
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8200, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8210, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8220, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8230, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8240, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8250, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8260, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8270, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8280, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8290, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82A0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82B0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82C0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82D0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82E0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x82F0, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8300, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8310, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8320, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8330, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8340, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8350, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8360, PacketAnalyzer::ANALYZER_IEEE802_11);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 0x8370, PacketAnalyzer::ANALYZER_IEEE802_11);
+	# TODO: how to handle 0x9000 here, which should just be dropped?
+	}
diff --git a/scripts/base/packet-protocols/llc/__load__.zeek b/scripts/base/packet-protocols/llc/__load__.zeek
new file mode 100644
index 0000000000..a10fe855df
--- /dev/null
+++ b/scripts/base/packet-protocols/llc/__load__.zeek
@@ -0,0 +1 @@
+@load ./main
diff --git a/scripts/base/packet-protocols/llc/main.zeek b/scripts/base/packet-protocols/llc/main.zeek
new file mode 100644
index 0000000000..71ef6ce036
--- /dev/null
+++ b/scripts/base/packet-protocols/llc/main.zeek
@@ -0,0 +1 @@
+module PacketAnalyzer::LLC;
diff --git a/scripts/base/packet-protocols/novell_802_3/__load__.zeek b/scripts/base/packet-protocols/novell_802_3/__load__.zeek
new file mode 100644
index 0000000000..a10fe855df
--- /dev/null
+++ b/scripts/base/packet-protocols/novell_802_3/__load__.zeek
@@ -0,0 +1 @@
+@load ./main
diff --git a/scripts/base/packet-protocols/novell_802_3/main.zeek b/scripts/base/packet-protocols/novell_802_3/main.zeek
new file mode 100644
index 0000000000..602a101eba
--- /dev/null
+++ b/scripts/base/packet-protocols/novell_802_3/main.zeek
@@ -0,0 +1,6 @@
+module PacketAnalyzer::NOVELL_802_3;
+
+export {
+	# The Novell 802.3 protocol should expect an IPX analyzer here. Since
+	# one doesn't exist yet, the default analyzer is left undefined.
+}
diff --git a/scripts/base/packet-protocols/snap/__load__.zeek b/scripts/base/packet-protocols/snap/__load__.zeek
new file mode 100644
index 0000000000..a10fe855df
--- /dev/null
+++ b/scripts/base/packet-protocols/snap/__load__.zeek
@@ -0,0 +1 @@
+@load ./main
diff --git a/scripts/base/packet-protocols/snap/main.zeek b/scripts/base/packet-protocols/snap/main.zeek
new file mode 100644
index 0000000000..1d789e314e
--- /dev/null
+++ b/scripts/base/packet-protocols/snap/main.zeek
@@ -0,0 +1,9 @@
+module PacketAnalyzer::SNAP;
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x0800, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x86DD, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x0806, PacketAnalyzer::ANALYZER_ARP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 0x8035, PacketAnalyzer::ANALYZER_ARP);
+	}
diff --git a/scripts/base/packet-protocols/vlan/main.zeek b/scripts/base/packet-protocols/vlan/main.zeek
index 3cde704333..900c4270fd 100644
--- a/scripts/base/packet-protocols/vlan/main.zeek
+++ b/scripts/base/packet-protocols/vlan/main.zeek
@@ -1,5 +1,14 @@
 module PacketAnalyzer::VLAN;
 
+export
+	{
+	# We use some magic numbers here to denote these. The values here are outside the range of the
+	# standard ethertypes, which should always be above 1536.
+	const SNAP_FORWARDING_KEY : count = 0x0001;
+	const NOVELL_FORWARDING_KEY : count = 0x0002;
+	const LLC_FORWARDING_KEY : count = 0x0003;
+	}
+
 event zeek_init() &priority=20
 	{
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
@@ -10,4 +19,11 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8035, PacketAnalyzer::ANALYZER_ARP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8100, PacketAnalyzer::ANALYZER_VLAN);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
+
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, SNAP_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_SNAP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, NOVELL_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_NOVELL_802_3);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, LLC_FORWARDING_KEY,
+	                                         PacketAnalyzer::ANALYZER_LLC);
 	}
diff --git a/scripts/base/protocols/ftp/main.zeek b/scripts/base/protocols/ftp/main.zeek
index aceefa0913..804f3eb11b 100644
--- a/scripts/base/protocols/ftp/main.zeek
+++ b/scripts/base/protocols/ftp/main.zeek
@@ -407,8 +407,10 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 			}
 		}
 
-	if ( [c$ftp$cmdarg$cmd, code] in directory_cmds )
+	if ( [c$ftp$cmdarg$cmd, code] in directory_cmds && ! c$ftp$cmdarg$cwd_consumed )
 		{
+		c$ftp$cmdarg$cwd_consumed = T;
+
 		if ( c$ftp$cmdarg$cmd == "CWD" )
 			c$ftp$cwd = build_path_compressed(c$ftp$cwd, c$ftp$cmdarg$arg);
 
diff --git a/scripts/base/protocols/ftp/utils-commands.zeek b/scripts/base/protocols/ftp/utils-commands.zeek
index 5cbc4515b1..31466970a5 100644
--- a/scripts/base/protocols/ftp/utils-commands.zeek
+++ b/scripts/base/protocols/ftp/utils-commands.zeek
@@ -10,6 +10,9 @@ export {
 		arg:  string &default="";
 		## Counter to track how many commands have been executed.
 		seq:  count &default=0;
+		## Flag indicating if the arg of this CmdArg has been used
+		## to update cwd of c$ftp.
+		cwd_consumed: bool &default=F;
 	};
 
 	## Structure for tracking pending commands in the event that the client
diff --git a/scripts/base/protocols/smb/main.zeek b/scripts/base/protocols/smb/main.zeek
index ed129f8ce1..91e27acffa 100644
--- a/scripts/base/protocols/smb/main.zeek
+++ b/scripts/base/protocols/smb/main.zeek
@@ -44,6 +44,13 @@ export {
 		PRINT_CLOSE,
 	};
 
+	## Whether to reset a connection's SMB script state whenever a
+	## :zeek:see:`smb2_discarded_messages_state` event is raised.
+	##
+	## This setting protects from unbounded script state growth in
+	## environments with high capture loss or traffic anomalies.
+	option enable_clear_script_state = T;
+
 	## This record is for the smb_files.log
 	type FileInfo: record {
 		## Time when the file was first discovered.
diff --git a/scripts/base/protocols/smb/smb2-main.zeek b/scripts/base/protocols/smb/smb2-main.zeek
index 8ccaa2df84..31f0a7704a 100644
--- a/scripts/base/protocols/smb/smb2-main.zeek
+++ b/scripts/base/protocols/smb/smb2-main.zeek
@@ -1,3 +1,5 @@
+@load base/frameworks/notice/weird
+
 @load ./main
 
 module SMB2;
@@ -344,3 +346,25 @@ event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)
 		#Reporter::warning("attempting to close an unknown file!");
 		}
 	}
+
+event smb2_discarded_messages_state(c: connection, state: string)
+	{
+	if ( ! c?$smb_state )
+		return;
+
+	local addl = fmt("state=%s fid_map=%s tid_map=%s pending_cmds=%s pipe_map=%s",
+	                 state, |c$smb_state$fid_map|, |c$smb_state$tid_map|,
+	                 |c$smb_state$pending_cmds|, |c$smb_state$pipe_map|);
+	Reporter::conn_weird("SMB_discarded_messages_state", c, addl, "SMB2");
+
+	if ( ! SMB::enable_clear_script_state )
+		return;
+
+	# Wipe out script-level state for this connection.
+	c$smb_state$fid_map = table();
+	c$smb_state$pending_cmds = table();
+	# Not expected to grow overly large and the original
+	# zeek-smb-clear-state package didn't reset these either.
+	# c$smb_state$tid_map = table();
+	# c$smb_state$pipe_map = table();
+	}
diff --git a/scripts/base/protocols/ssl/consts.zeek b/scripts/base/protocols/ssl/consts.zeek
index fb11ca22b5..7f7188859a 100644
--- a/scripts/base/protocols/ssl/consts.zeek
+++ b/scripts/base/protocols/ssl/consts.zeek
@@ -11,6 +11,7 @@ export {
 	const DTLSv10 = 0xFEFF;
 	# DTLSv11 does not exist
 	const DTLSv12 = 0xFEFD;
+	const DTLSv13 = 0xFEFC;
 
 	## Mapping between the constants and string values for SSL/TLS versions.
 	const version_strings: table[count] of string = {
@@ -21,7 +22,8 @@ export {
 		[TLSv12] = "TLSv12",
 		[TLSv13] = "TLSv13",
 		[DTLSv10] = "DTLSv10",
-		[DTLSv12] = "DTLSv12"
+		[DTLSv12] = "DTLSv12",
+		[DTLSv13] = "DTLSv13"
 	} &default=function(i: count):string
 		{
 		if ( i/0xFF == 0x7F ) # TLS 1.3 draft
diff --git a/scripts/base/protocols/ssl/ct-list.zeek b/scripts/base/protocols/ssl/ct-list.zeek
index 2b38a9c99d..be2663b5f5 100644
--- a/scripts/base/protocols/ssl/ct-list.zeek
+++ b/scripts/base/protocols/ssl/ct-list.zeek
@@ -1,44 +1,35 @@
 #
 # Do not edit this file. This file is automatically generated by gen-ct-list.pl
-# File generated at Thu Oct  6 13:17:02 2022
+# File generated at Wed May  3 10:30:21 2023
 # File generated from https://www.gstatic.com/ct/log_list/v3/log_list.json
-# Source file generated at: 2022-10-05T12:55:24Z
-# Source file version: 13.6
+# Source file generated at: 2023-05-02T12:55:51Z
+# Source file version: 20.60
 #
 
 @load base/protocols/ssl
 module SSL;
 redef ct_logs += {
-["\x29\x79\xbe\xf0\x9e\x39\x39\x21\xf0\x56\x73\x9f\x63\xa5\x77\xe5\xbe\x57\x7d\x9c\x60\x0a\xf8\xf9\x4d\x5d\x26\x5c\x25\x5d\xc7\x84"] = CTInfo($description="Google 'Argon2022' log", $operator="Google", $url="https://ct.googleapis.com/logs/argon2022/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x78\x83\xdc\xe9\xf1\xa6\xb8\x18\x3a\x00\x99\x2f\xff\x3e\xcd\x15\xc9\x26\x1e\xf7\xff\x3a\xa9\xa3\x72\x16\x49\xeb\x09\xb6\xa8\xdd\xb4\xd2\x47\x91\x0e\x0d\xf9\xd9\xd5\xa9\x8b\xb0\x87\x9d\x25\x79\xd4\x1a\x50\x60\x08\xf5\x09\x06\x39\x26\xe4\x40\xc2\xba\xc3\xc2"),
 ["\xe8\x3e\xd0\xda\x3e\xf5\x06\x35\x32\xe7\x57\x28\xbc\x89\x6b\xc9\x03\xd3\xcb\xd1\x11\x6b\xec\xeb\x69\xe1\x77\x7d\x6d\x06\xbd\x6e"] = CTInfo($description="Google 'Argon2023' log", $operator="Google", $url="https://ct.googleapis.com/logs/argon2023/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd0\x90\x8f\x64\x52\x4e\x42\xac\x84\xb6\x2e\x4c\xf2\x3d\x77\x00\xb3\x77\x08\x05\x47\xaa\x45\x4c\xe3\x2c\x8e\x70\xa5\x82\xbb\x6c\xb2\x7b\x9c\x98\x7a\xa0\xe9\x11\x76\x28\x00\xb2\x20\xb4\xcd\xd3\x98\x7b\x4d\x96\x27\xe6\xb7\xee\x22\x6a\xd1\xb0\x2e\x91\x77\x78"),
 ["\xee\xcd\xd0\x64\xd5\xdb\x1a\xce\xc5\x5c\xb7\x9d\xb4\xcd\x13\xa2\x32\x87\x46\x7c\xbc\xec\xde\xc3\x51\x48\x59\x46\x71\x1f\xb5\x9b"] = CTInfo($description="Google 'Argon2024' log", $operator="Google", $url="https://ct.googleapis.com/logs/us1/argon2024/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x1d\xb9\x6c\xa9\xcb\x69\x94\xc5\x5c\xe6\xb6\xa6\x03\xbb\xd2\xb8\xdc\x54\x43\x17\x28\x99\x0c\x06\x01\x50\x1d\x9d\x64\xc0\x59\x46\x2b\xdc\xc8\x03\x1d\x05\xb4\x2d\xa8\x09\xf7\x99\x41\xed\x04\xfb\xe5\x57\xba\x26\x04\xf6\x11\x52\xce\x14\x65\x3b\x2f\x76\x2b\xc0"),
-["\x46\xa5\x55\xeb\x75\xfa\x91\x20\x30\xb5\xa2\x89\x69\xf4\xf3\x7d\x11\x2c\x41\x74\xbe\xfd\x49\xb8\x85\xab\xf2\xfc\x70\xfe\x6d\x47"] = CTInfo($description="Google 'Xenon2022' log", $operator="Google", $url="https://ct.googleapis.com/logs/xenon2022/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf9\x64\xbd\x15\x2c\x40\x62\x50\x95\x13\x38\x3c\xc7\x21\xb0\x3a\xb9\x8f\xa2\x7a\x15\xd7\x89\xd6\x8e\x31\x13\x00\x87\x59\xbc\xbb\xee\x90\xfc\xc8\x58\x13\x0a\xbf\xab\x43\x36\x54\x23\xa4\x81\xcd\xad\x47\x14\xb7\x58\xa0\x44\xfa\x6a\xa0\xa0\xd7\xc3\x63\x1e\x2b"),
 ["\xad\xf7\xbe\xfa\x7c\xff\x10\xc8\x8b\x9d\x3d\x9c\x1e\x3e\x18\x6a\xb4\x67\x29\x5d\xcf\xb1\x0c\x24\xca\x85\x86\x34\xeb\xdc\x82\x8a"] = CTInfo($description="Google 'Xenon2023' log", $operator="Google", $url="https://ct.googleapis.com/logs/xenon2023/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x72\x16\x3e\x0b\xef\xef\xce\x3e\x60\xdd\x95\xcb\x63\x7a\xb9\xa9\x8d\x4a\x6f\x6c\xdc\x61\x80\xa6\x45\x5e\x2f\x83\xac\x94\xf3\x85\x88\xd0\xa5\x74\xd0\x7b\x8e\xff\xc5\xee\x42\xa2\xf0\x2d\x93\xe3\xc2\xd0\xb2\x99\xe2\xe1\x42\xe9\xd2\xc6\x00\x27\x69\x74\xae\xce"),
 ["\x76\xff\x88\x3f\x0a\xb6\xfb\x95\x51\xc2\x61\xcc\xf5\x87\xba\x34\xb4\xa4\xcd\xbb\x29\xdc\x68\x42\x0a\x9f\xe6\x67\x4c\x5a\x3a\x74"] = CTInfo($description="Google 'Xenon2024' log", $operator="Google", $url="https://ct.googleapis.com/logs/eu1/xenon2024/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xb9\x60\xe0\x34\x1e\x35\xe4\x65\x00\x93\x4f\x90\x09\xbd\x5a\xec\x44\xdd\x8c\x0f\xce\xed\x11\x3e\x2a\x59\x46\x9a\x31\xb6\xc7\x99\xf7\xdc\xef\x3d\xcd\x8f\x86\xc2\x35\xa5\x3e\xdc\x29\xba\xbb\xf2\x54\xe2\xa8\x0c\x83\x08\x51\x06\xde\x21\x6d\x36\x50\x8e\x38\x4d"),
 ["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="https://ct.googleapis.com/icarus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"),
 ["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="https://ct.googleapis.com/pilot/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"),
 ["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="https://ct.googleapis.com/rocketeer/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"),
 ["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="https://ct.googleapis.com/skydiver/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"),
-["\x41\xc8\xca\xb1\xdf\x22\x46\x4a\x10\xc6\xa1\x3a\x09\x42\x87\x5e\x4e\x31\x8b\x1b\x03\xeb\xeb\x4b\xc7\x68\xf0\x90\x62\x96\x06\xf6"] = CTInfo($description="Cloudflare 'Nimbus2022' Log", $operator="Cloudflare", $url="https://ct.cloudflare.com/logs/nimbus2022/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xb2\x47\x4e\x50\x32\x72\x62\x4a\x0d\x0c\x48\xbf\xad\x29\x64\x6f\x20\xdf\x79\x52\x63\x16\x29\x0a\x2e\x60\xb5\xe2\x3a\x1c\xb7\xaf\x59\xb1\x55\x09\xdb\x59\xc7\xe9\xbd\x6f\xed\x0b\xaf\x05\x96\x97\xff\x3b\x9a\x43\x4d\xeb\x11\x34\x33\x8a\xe7\xac\x83\xc0\xff"),
 ["\x7a\x32\x8c\x54\xd8\xb7\x2d\xb6\x20\xea\x38\xe0\x52\x1e\xe9\x84\x16\x70\x32\x13\x85\x4d\x3b\xd2\x2b\xc1\x3a\x57\xa3\x52\xeb\x52"] = CTInfo($description="Cloudflare 'Nimbus2023' Log", $operator="Cloudflare", $url="https://ct.cloudflare.com/logs/nimbus2023/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8b\xff\x2d\x92\x18\xcb\x46\x9d\x12\x5e\xb9\x59\x75\x3c\xcd\x91\x37\x7a\x1e\xa9\x9c\x99\x78\x83\x27\x3d\xdf\x01\xd5\x8b\x80\xe8\x63\x9a\xfe\x26\xa2\x1b\xd1\x87\x05\xee\x97\xd6\xe0\x5b\x43\x83\x81\x1c\x02\xf5\x41\x80\x80\x7f\xef\xa4\x61\xcf\xbc\x84\xb5\xa8"),
 ["\xda\xb6\xbf\x6b\x3f\xb5\xb6\x22\x9f\x9b\xc2\xbb\x5c\x6b\xe8\x70\x91\x71\x6c\xbb\x51\x84\x85\x34\xbd\xa4\x3d\x30\x48\xd7\xfb\xab"] = CTInfo($description="Cloudflare 'Nimbus2024' Log", $operator="Cloudflare", $url="https://ct.cloudflare.com/logs/nimbus2024/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x77\xb1\x9b\x7b\x8f\xe6\x8b\x35\xfe\x3a\x92\x29\x2d\xac\x8a\x8d\x51\x8a\x25\xfc\x93\xb6\xd7\xa0\x8b\x29\x37\x71\x1d\x33\xca\xcc\x33\xea\x28\xb9\x1f\xe2\xac\xc3\xa9\x5d\xdd\x97\xbe\xf6\x9e\x94\x25\xdd\x36\x81\xd1\xeb\x5d\x29\xc3\x2b\x44\xf1\x5b\xca\x15\x48"),
-["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="https://ct1.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"),
-["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert Log Server 2", $operator="DigiCert", $url="https://ct2.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"),
-["\x22\x45\x45\x07\x59\x55\x24\x56\x96\x3f\xa1\x2f\xf1\xf7\x6d\x86\xe0\x23\x26\x63\xad\xc0\x4b\x7f\x5d\xc6\x83\x5c\x6e\xe2\x0f\x02"] = CTInfo($description="DigiCert Yeti2022 Log", $operator="DigiCert", $url="https://yeti2022.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x9f\xf8\xd8\x1d\xde\xfb\x5b\x51\xb5\xfb\x5d\xf5\xb5\xde\x66\x11\xb0\x9d\x5f\xfd\x6f\xfc\xa8\x98\x5b\x98\x4f\x2d\xc3\x91\x3a\xfb\xfe\xc4\x0f\x0d\xc3\x60\x43\x8c\x1e\xf2\xf9\x11\xb2\xba\xd0\xf6\xbc\xa5\xd2\xb6\x9f\xf9\x5c\x87\xa2\x7d\xfc\xd4\x7d\xd6\x13\x26"),
 ["\x35\xcf\x19\x1b\xbf\xb1\x6c\x57\xbf\x0f\xad\x4c\x6d\x42\xcb\xbb\xb6\x27\x20\x26\x51\xea\x3f\xe1\x2a\xef\xa8\x03\xc3\x3b\xd6\x4c"] = CTInfo($description="DigiCert Yeti2023 Log", $operator="DigiCert", $url="https://yeti2023.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\x0d\x03\xb1\xd5\x98\x8a\xdc\xf0\x15\x3b\xc6\xdc\x5e\x0d\x6e\x3f\x0d\xbf\x95\xc8\x55\x8c\xd0\xa6\x4c\x96\xb1\x4e\x27\xb9\x26\x25\x99\xcc\x2b\x02\x9e\xa6\xd3\xdd\x9f\xb1\xd5\xc4\xc3\xac\x35\x04\x07\x87\x97\x36\xaa\xad\x28\x0d\x7f\x2b\xd9\x68\x9f\x72\xd1"),
 ["\x48\xb0\xe3\x6b\xda\xa6\x47\x34\x0f\xe5\x6a\x02\xfa\x9d\x30\xeb\x1c\x52\x01\xcb\x56\xdd\x2c\x81\xd9\xbb\xbf\xab\x39\xd8\x84\x73"] = CTInfo($description="DigiCert Yeti2024 Log", $operator="DigiCert", $url="https://yeti2024.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x57\xb8\xc1\x6f\x30\xa4\x7f\x2e\xe4\xf0\xd0\xd9\x60\x62\x13\x95\xe3\x7a\xe3\x4e\x53\xc3\xb3\xb8\x73\x85\xc1\x18\x0d\x23\x0e\x58\x84\xd2\x78\xef\x9b\xb3\x1e\x2c\x1a\xde\xc1\x8f\x81\x1b\x19\x44\x58\xb7\x00\x77\x60\x20\x1a\x72\xd8\x82\xde\xae\x9e\xb1\xc6\x4b"),
 ["\x7d\x59\x1e\x12\xe1\x78\x2a\x7b\x1c\x61\x67\x7c\x5e\xfd\xf8\xd0\x87\x5c\x14\xa0\x4e\x95\x9e\xb9\x03\x2f\xd9\x0e\x8c\x2e\x79\xb8"] = CTInfo($description="DigiCert Yeti2025 Log", $operator="DigiCert", $url="https://yeti2025.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xdf\x95\x00\x5e\x10\xc1\x01\xf7\x37\xe3\x10\x74\xd1\xff\xb2\xca\x90\xed\x32\x99\x5f\x0c\x39\xfe\xa1\xd1\x13\x11\xac\xd1\xb3\x73\x93\x20\xc2\x13\x3c\x4c\xb5\x7a\x52\x86\x86\x3d\xe3\x95\x24\x7c\xd8\x91\x98\x48\x3b\xf0\xf0\xdf\x21\xf1\xb0\x81\x5a\x59\x25\x43"),
-["\x51\xa3\xb0\xf5\xfd\x01\x79\x9c\x56\x6d\xb8\x37\x78\x8f\x0c\xa4\x7a\xcc\x1b\x27\xcb\xf7\x9e\x88\x42\x9a\x0d\xfe\xd4\x8b\x05\xe5"] = CTInfo($description="DigiCert Nessie2022 Log", $operator="DigiCert", $url="https://nessie2022.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x24\xdd\x68\x03\x28\xcb\xfe\x63\xbe\x0e\x11\x47\x4d\x7d\x17\x68\xa1\x11\x5d\x4c\x71\xc9\x41\x28\xc7\xb6\xa2\x4b\x97\xec\xc0\xaf\xfc\x2f\x3b\xbf\xe9\xf1\xb1\xfc\xf5\x01\xff\xa9\xfb\x49\x40\x0c\x63\x24\x98\xd7\x79\x2e\xa6\x55\xab\x16\xc6\xbe\x51\xd8\x71"),
 ["\xb3\x73\x77\x07\xe1\x84\x50\xf8\x63\x86\xd6\x05\xa9\xdc\x11\x09\x4a\x79\x2d\xb1\x67\x0c\x0b\x87\xdc\xf0\x03\x0e\x79\x36\xa5\x9a"] = CTInfo($description="DigiCert Nessie2023 Log", $operator="DigiCert", $url="https://nessie2023.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x11\x7b\xbc\x89\x0c\x12\x09\x14\x9f\xd8\x26\xc8\x4c\x6a\x54\xa4\x1b\x45\x56\xdf\x3e\x23\x42\x14\xd1\xdd\x42\xdf\xa2\xdf\x7b\x5f\x9f\x6f\x07\x5a\x23\x46\x79\x16\x4b\x5f\x33\x67\xc1\xa0\x8d\x5b\x5c\x17\x75\xf2\x4d\xa0\x80\xa1\x98\x1a\x07\x59\x06\x02\xca\x4e"),
 ["\x73\xd9\x9e\x89\x1b\x4c\x96\x78\xa0\x20\x7d\x47\x9d\xe6\xb2\xc6\x1c\xd0\x51\x5e\x71\x19\x2a\x8c\x6b\x80\x10\x7a\xc1\x77\x72\xb5"] = CTInfo($description="DigiCert Nessie2024 Log", $operator="DigiCert", $url="https://nessie2024.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2d\xfc\xa2\x7b\x36\xbf\x56\x91\xe9\xfe\x3f\xe8\x3d\xfc\xc3\xa7\xe0\x61\x52\xea\x2c\xe9\x05\xa3\x9f\x27\x17\x81\x05\x70\x6b\x81\x61\x44\x8a\xf8\x3b\x10\x80\x42\xed\x03\x2f\x00\x50\x21\xfc\x41\x54\x84\xa3\x54\xd5\x2e\xb2\x7a\x16\x4b\x2a\x1f\x2b\x66\x04\x2b"),
 ["\xe6\xd2\x31\x63\x40\x77\x8c\xc1\x10\x41\x06\xd7\x71\xb9\xce\xc1\xd2\x40\xf6\x96\x84\x86\xfb\xba\x87\x32\x1d\xfd\x1e\x37\x8e\x50"] = CTInfo($description="DigiCert Nessie2025 Log", $operator="DigiCert", $url="https://nessie2025.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\xf0\xf0\xa7\x8b\x81\x2e\x09\x39\x3b\x9f\x42\xda\x38\x44\x5f\xb4\xcc\xed\x36\xbb\xd8\x43\x7f\x16\x49\x57\x87\x04\x7f\xa5\x01\x34\xf7\xe8\x68\x3f\xb7\x78\x1f\x60\x66\x2d\x67\x9a\x75\x80\xb7\x53\xa7\x85\xd5\xbc\xab\x47\x06\x55\xdb\xb5\xdf\x88\xa1\x6f\x38"),
-["\x05\x9c\x01\xd3\x20\xe0\x07\x84\x13\x95\x80\x49\x8d\x11\x7c\x90\x32\x66\xaf\xaf\x72\x50\xb5\xaf\x3b\x46\xa4\x3e\x11\x84\x0d\x4a"] = CTInfo($description="DigiCert Yeti2022-2 Log", $operator="DigiCert", $url="https://yeti2022-2.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x1d\x69\x5e\x3f\x0a\xf2\x71\x77\xcd\x9d\x5d\xc3\x34\x49\x00\xee\x60\x77\xe1\x72\x76\x74\xa8\x7c\x5c\x7d\x09\xf2\x32\x1d\x05\x7e\x2e\xfe\x5b\x31\xd5\x3a\xfd\x73\x34\x6e\x49\x14\x4e\x50\x58\x96\x5a\xc4\xc7\xf4\xbe\x05\x64\xa4\xf7\xd7\xe5\xb1\x6d\x33\x0c\xc3"),
 ["\x55\x81\xd4\xc2\x16\x90\x36\x01\x4a\xea\x0b\x9b\x57\x3c\x53\xf0\xc0\xe4\x38\x78\x70\x25\x08\x17\x2f\xa3\xaa\x1d\x07\x13\xd3\x0c"] = CTInfo($description="Sectigo 'Sabre' CT log", $operator="Sectigo", $url="https://sabre.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\x6f\xd2\x89\x0f\x3f\xc5\xf8\x87\x1e\xab\x65\xb3\xd9\xbb\x17\x23\x8c\x06\x0e\x09\x55\x96\x3d\x0a\x08\xa2\xc5\x71\xb3\xd1\xa9\x2f\x28\x3e\x83\x10\xbf\x12\xd0\x44\x66\x15\xef\x54\xe1\x98\x80\xd0\xce\x24\x6d\x3e\x67\x9a\xe9\x37\x23\xce\x52\x93\x86\xda\x80"),
 ["\x6f\x53\x76\xac\x31\xf0\x31\x19\xd8\x99\x00\xa4\x51\x15\xff\x77\x15\x1c\x11\xd9\x02\xc1\x00\x29\x06\x8d\xb2\x08\x9a\x37\xd9\x13"] = CTInfo($description="Sectigo 'Mammoth' CT log", $operator="Sectigo", $url="https://mammoth.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xef\xe4\x7d\x74\x2e\x15\x15\xb6\xe9\xbb\x23\x8b\xfb\x2c\xb5\xe1\xc7\x80\x98\x47\xfb\x40\x69\x68\xfc\x49\xad\x61\x4e\x83\x47\x3c\x1a\xb7\x8d\xdf\xff\x7b\x30\xb4\xba\xff\x2f\xcb\xa0\x14\xe3\xad\xd5\x85\x3f\x44\x59\x8c\x8c\x60\x8b\xd7\xb8\xb1\xbf\xae\x8c\x67"),
-["\xdf\xa5\x5e\xab\x68\x82\x4f\x1f\x6c\xad\xee\xb8\x5f\x4e\x3e\x5a\xea\xcd\xa2\x12\xa4\x6a\x5e\x8e\x3b\x12\xc0\x20\x44\x5c\x2a\x73"] = CTInfo($description="Let's Encrypt 'Oak2022' log", $operator="Let's Encrypt", $url="https://oak.ct.letsencrypt.org/2022/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x86\x3c\xb1\x0d\x52\x23\x5a\xde\x6e\xf6\xc0\x7f\xa3\x64\xbc\xad\xc1\x89\xda\x97\x59\x4c\x60\x3c\xf8\x8a\x57\x84\x8f\xed\xbc\xa0\x63\x12\x51\x84\xe6\xbd\xdd\x7b\x8c\x80\x7d\xe3\x8f\x86\xa4\xea\xa9\xcf\xa8\xee\xf3\xe0\x5e\x70\xe0\xbb\xf6\xbd\xfc\x1f\x91\x2e"),
 ["\xb7\x3e\xfb\x24\xdf\x9c\x4d\xba\x75\xf2\x39\xc5\xba\x58\xf4\x6c\x5d\xfc\x42\xcf\x7a\x9f\x35\xc4\x9e\x1d\x09\x81\x25\xed\xb4\x99"] = CTInfo($description="Let's Encrypt 'Oak2023' log", $operator="Let's Encrypt", $url="https://oak.ct.letsencrypt.org/2023/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xb3\x3d\x0e\x78\xbe\xe3\xad\x5c\x44\x5c\x9b\xbe\xa3\x84\x16\x41\x82\xca\xca\x89\x17\x1e\x23\xce\x38\xa5\x54\x2f\x7f\xd3\x34\x51\x6a\xb9\x5c\xc3\x49\xea\xfb\x91\x9d\xe0\x8a\x3c\x73\x06\x9f\x7c\x65\x38\x11\x80\xc4\x9a\x5a\x00\xa6\x67\xc3\x83\xef\x89\x85\x51"),
 ["\x3b\x53\x77\x75\x3e\x2d\xb9\x80\x4e\x8b\x30\x5b\x06\xfe\x40\x3b\x67\xd8\x4f\xc3\xf4\xc7\xbd\x00\x0d\x2d\x72\x6f\xe1\xfa\xd4\x17"] = CTInfo($description="Let's Encrypt 'Oak2024H1' log", $operator="Let's Encrypt", $url="https://oak.ct.letsencrypt.org/2024h1/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x56\x43\xd7\x7e\x7b\xd4\x72\xb7\xba\xa9\x51\xbd\x36\x93\xb7\xe9\xb5\x92\x0f\xea\x5e\xb7\x45\xa3\x92\xfd\xc9\xa5\x3c\x80\xac\x1a\x20\xef\x25\x2f\xb8\xe1\x20\xf7\xa8\x3a\x2e\x07\x8d\xe6\xeb\xa4\xe2\x7d\x24\x63\x9f\x46\xbf\x94\x73\x52\x8d\x96\xae\xa9\x26\xfd"),
 ["\x3f\x17\x4b\x4f\xd7\x22\x47\x58\x94\x1d\x65\x1c\x84\xbe\x0d\x12\xed\x90\x37\x7f\x1f\x85\x6a\xeb\xc1\xbf\x28\x85\xec\xf8\x64\x6e"] = CTInfo($description="Let's Encrypt 'Oak2024H2' log", $operator="Let's Encrypt", $url="https://oak.ct.letsencrypt.org/2024h2/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\x73\xd6\x53\x47\xe9\xf3\xc9\xd5\x7c\x16\xc2\xd6\x8f\x70\x65\xfa\xf2\x51\x36\xa9\x13\x80\x2f\xed\xf9\x94\xd3\x5a\x8b\xe8\x4f\x33\xcf\xc3\xd3\x89\xd4\x5f\x5a\x66\x89\xba\x20\x1f\x71\xcb\xca\xbb\x9f\x9f\xf3\x5c\x2d\x1e\xa3\x81\x59\xaf\x92\xb3\x6d\x30\x68"),
-["\xc3\x65\xf9\xb3\x65\x4f\x32\x83\xc7\x9d\xa9\x8e\x93\xd7\x41\x8f\x5b\xab\x7b\xe3\x25\x2c\x98\xe1\xd2\xf0\x4b\xb9\xeb\x42\x7d\x23"] = CTInfo($description="Trust Asia Log2022", $operator="TrustAsia", $url="https://ct.trustasia.com/log2022/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xbb\x52\xf2\x16\xcf\x92\x0b\xce\x79\xe6\x54\x6d\xc2\x37\x53\xa4\xf5\xf9\x3a\xa9\xb3\x05\xec\x1d\xbd\x16\xec\x30\xac\x2e\xf8\x79\x62\x35\x15\x8e\x1a\xd8\x16\x2e\xe4\x48\x6b\xf6\xc6\x13\xf1\x96\x2e\x5c\x10\xfe\x19\x1e\xa8\x18\xb8\x0f\x2d\xc3\xa4\x86\x51\x97"),
 ["\xe8\x7e\xa7\x66\x0b\xc2\x6c\xf6\x00\x2e\xf5\x72\x5d\x3f\xe0\xe3\x31\xb9\x39\x3b\xb9\x2f\xbf\x58\xeb\x3b\x90\x49\xda\xf5\x43\x5a"] = CTInfo($description="Trust Asia Log2023", $operator="TrustAsia", $url="https://ct.trustasia.com/log2023/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa4\x11\x52\xdb\x17\x41\x4e\x90\xd4\x56\x51\x12\x30\x52\xf8\x9b\x03\xcf\x4c\x9f\xf8\x2e\x38\xb5\xf1\x5a\xba\xfa\x38\xb9\xd2\x8f\x1a\x81\xda\x95\xcc\x33\xec\x21\x28\x66\xc6\x56\x3e\x60\x36\x21\x20\xd9\xd4\xac\x5d\xfa\x5c\x19\xa1\x05\x7d\xfe\x20\x23\xfc\xf5"),
+["\x87\x4f\xb5\x0d\xc0\x29\xd9\x93\x1d\xe5\x73\xe9\xf2\x89\x9e\x8e\x45\x33\xb3\x92\xd3\x8b\x0a\x46\x25\x74\xbf\x0f\xee\xb2\xfc\x1e"] = CTInfo($description="Trust Asia Log2024-2", $operator="TrustAsia", $url="https://ct2024.trustasia.com/log2024/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa7\x64\xe2\x79\x81\x3f\x61\xd7\xec\xc6\xf8\x65\x28\x1d\xa0\xb4\x66\x33\xc3\x25\xd5\x0a\x95\x78\x9c\x8f\xfe\xa4\x2a\xd8\x8f\x7e\x72\xe0\xfe\xa8\x7f\xf8\xb1\x2d\x85\xc0\x8e\x12\x74\x0d\x2f\x8c\xab\xd7\x7f\x7a\x1e\xd9\x84\x33\x39\xe8\xfd\x89\x5f\x96\x48\x08"),
 };
diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek
index 04f226046a..7ab0ee0b67 100644
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@@ -68,6 +68,9 @@ export {
 		## Flag to indicate if this record already has been logged, to
 		## prevent duplicates.
 		logged:           bool             &default=F;
+		## Flag to indicate that we have seen a Hello Retry request message.
+		## Used internally for ssl_history logging
+		hrr_seen:         bool             &default=F;
 
 		## SSL history showing which types of packets we received in which order.
 		## Letters have the following meaning with client-sent letters being capitalized:
@@ -283,6 +286,10 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
 		}
 	c$ssl$cipher = cipher_desc[cipher];
 
+	# Check if this is a hello retry request. A magic value in the random is used to signal this
+	if ( server_random == "\xCF\x21\xAD\x74\xE5\x9A\x61\x11\xBE\x1D\x8C\x02\x1E\x65\xB8\x91\xC2\xA2\x11\x16\x7A\xBB\x8C\x5E\x07\x9E\x09\xE2\xC8\xA8\x33\x9C" )
+		c$ssl$hrr_seen = T;
+
 	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) && c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
 		c$ssl$resumed = T;
 	}
@@ -360,7 +367,14 @@ event ssl_handshake_message(c: connection, is_client: bool, msg_type: count, len
 			add_to_history(c, is_client, "c");
 			break;
 		case SSL::SERVER_HELLO:
-			add_to_history(c, is_client, "s");
+			if ( c$ssl$hrr_seen )
+				{
+				# the server_hello event is raised first, and sets the flag
+				add_to_history(c, is_client, "j");
+				c$ssl$hrr_seen = F;
+				}
+			else
+				add_to_history(c, is_client, "s");
 			break;
 		case SSL::HELLO_VERIFY_REQUEST:
 			add_to_history(c, is_client, "v");
@@ -512,7 +526,11 @@ event ssl_plaintext_data(c: connection, is_client: bool, record_version: count,
 
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
 	{
-	# if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
-	# 	if ( info$c?$ssl )
-	# 		finish(info$c, T);
+#	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
+#		if ( info$c?$ssl )
+#			{
+#			# analyzer errored out; prevent us from trying to remove it later
+#			delete info$c$ssl$analyzer_id;
+#			finish(info$c, F);
+#			}
 	}
diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.zeek b/scripts/base/protocols/ssl/mozilla-ca-list.zeek
index 160ae25452..3321bd6e80 100644
--- a/scripts/base/protocols/ssl/mozilla-ca-list.zeek
+++ b/scripts/base/protocols/ssl/mozilla-ca-list.zeek
@@ -1,6 +1,6 @@
 # Don't edit!  This file is automatically generated.
-# Generated at: 2022-04-28 12:57:26 +0100
-# Generated from: NSS 3.78
+# Generated at: 2023-05-03 10:29:01 +0100
+# Generated from: NSS 3.89
 #
 # The original source file comes with this licensing statement:
 #
@@ -30,7 +30,6 @@ redef root_certs += {
 	["CN=SecureTrust CA,O=SecureTrust Corporation,C=US"] = "\x30\x82\x03\xB8\x30\x82\x02\xA0\xA0\x03\x02\x01\x02\x02\x10\x0C\xF0\x8E\x5C\x08\x16\xA5\xAD\x42\x7F\xF0\xEB\x27\x18\x59\xD0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x48\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x30\x37\x31\x39\x33\x31\x31\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x39\x34\x30\x35\x35\x5A\x30\x48\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\xA4\x81\xE5\x95\xCD\xF5\xF6\x14\x8E\xC2\x4F\xCA\xD4\xE2\x78\x95\x58\x9C\x41\xE1\x0D\x99\x40\x24\x17\x39\x91\x33\x66\xE9\xBE\xE1\x83\xAF\x62\x5C\x89\xD1\xFC\x24\x5B\x61\xB3\xE0\x11\x11\x41\x1C\x1D\x6E\xF0\xB8\xBB\xF8\xDE\xA7\x81\xBA\xA6\x48\xC6\x9F\x1D\xBD\xBE\x8E\xA9\x41\x3E\xB8\x94\xED\x29\x1A\xD4\x8E\xD2\x03\x1D\x03\xEF\x6D\x0D\x67\x1C\x57\xD7\x06\xAD\xCA\xC8\xF5\xFE\x0E\xAF\x66\x25\x48\x04\x96\x0B\x5D\xA3\xBA\x16\xC3\x08\x4F\xD1\x46\xF8\x14\x5C\xF2\xC8\x5E\x01\x99\x6D\xFD\x88\xCC\x86\xA8\xC1\x6F\x31\x42\x6C\x52\x3E\x68\xCB\xF3\x19\x34\xDF\xBB\x87\x18\x56\x80\x26\xC4\xD0\xDC\xC0\x6F\xDF\xDE\xA0\xC2\x91\x16\xA0\x64\x11\x4B\x44\xBC\x1E\xF6\xE7\xFA\x63\xDE\x66\xAC\x76\xA4\x71\xA3\xEC\x36\x94\x68\x7A\x77\xA4\xB1\xE7\x0E\x2F\x81\x7A\xE2\xB5\x72\x86\xEF\xA2\x6B\x8B\xF0\x0F\xDB\xD3\x59\x3F\xBA\x72\xBC\x44\x24\x9C\xE3\x73\xB3\xF7\xAF\x57\x2F\x42\x26\x9D\xA9\x74\xBA\x00\x52\xF2\x4B\xCD\x53\x7C\x47\x0B\x36\x85\x0E\x66\xA9\x08\x97\x16\x34\x57\xC1\x66\xF7\x80\xE3\xED\x70\x54\xC7\x93\xE0\x2E\x28\x15\x59\x87\xBA\xBB\x02\x03\x01\x00\x01\xA3\x81\x9D\x30\x81\x9A\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x42\x32\xB6\x16\xFA\x04\xFD\xFE\x5D\x4B\x7A\xC3\xFD\xF7\x4C\x40\x1D\x5A\x43\xAF\x30\x34\x06\x03\x55\x1D\x1F\x04\x2D\x30\x2B\x30\x29\xA0\x27\xA0\x25\x86\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x65\x63\x75\x72\x65\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x53\x54\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x30\xED\x4F\x4A\xE1\x58\x3A\x52\x72\x5B\xB5\xA6\xA3\x65\x18\xA6\xBB\x51\x3B\x77\xE9\x9D\xEA\xD3\x9F\x5C\xE0\x45\x65\x7B\x0D\xCA\x5B\xE2\x70\x50\xB2\x94\x05\x14\xAE\x49\xC7\x8D\x41\x07\x12\x73\x94\x7E\x0C\x23\x21\xFD\xBC\x10\x7F\x60\x10\x5A\x72\xF5\x98\x0E\xAC\xEC\xB9\x7F\xDD\x7A\x6F\x5D\xD3\x1C\xF4\xFF\x88\x05\x69\x42\xA9\x05\x71\xC8\xB7\xAC\x26\xE8\x2E\xB4\x8C\x6A\xFF\x71\xDC\xB8\xB1\xDF\x99\xBC\x7C\x21\x54\x2B\xE4\x58\xA2\xBB\x57\x29\xAE\x9E\xA9\xA3\x19\x26\x0F\x99\x2E\x08\xB0\xEF\xFD\x69\xCF\x99\x1A\x09\x8D\xE3\xA7\x9F\x2B\xC9\x36\x34\x7B\x24\xB3\x78\x4C\x95\x17\xA4\x06\x26\x1E\xB6\x64\x52\x36\x5F\x60\x67\xD9\x9C\xC5\x05\x74\x0B\xE7\x67\x23\xD2\x08\xFC\x88\xE9\xAE\x8B\x7F\xE1\x30\xF4\x37\x7E\xFD\xC6\x32\xDA\x2D\x9E\x44\x30\x30\x6C\xEE\x07\xDE\xD2\x34\xFC\xD2\xFF\x40\xF6\x4B\xF4\x66\x46\x06\x54\xA6\xF2\x32\x0A\x63\x26\x30\x6B\x9B\xD1\xDC\x8B\x47\xBA\xE1\xB9\xD5\x62\xD0\xA2\xA0\xF4\x67\x05\x78\x29\x63\x1A\x6F\x04\xD6\xF8\xC6\x4C\xA3\x9A\xB1\x37\xB4\x8D\xE5\x28\x4B\x1D\x9E\x2C\xC2\xB8\x68\xBC\xED\x02\xEE\x31",
 	["CN=Secure Global CA,O=SecureTrust Corporation,C=US"] = "\x30\x82\x03\xBC\x30\x82\x02\xA4\xA0\x03\x02\x01\x02\x02\x10\x07\x56\x22\xA4\xE8\xD4\x8A\x89\x4D\xF4\x13\xC8\xF0\xF8\xEA\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x30\x37\x31\x39\x34\x32\x32\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x39\x35\x32\x30\x36\x5A\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x35\x2E\xD8\xAC\x6C\x55\x69\x06\x71\xE5\x13\x68\x24\xB3\x4F\xD8\xCC\x21\x47\xF8\xF1\x60\x38\x89\x89\x03\xE9\xBD\xEA\x5E\x46\x53\x09\xDC\x5C\xF5\x5A\xE8\xF7\x45\x2A\x02\xEB\x31\x61\xD7\x29\x33\x4C\xCE\xC7\x7C\x0A\x37\x7E\x0F\xBA\x32\x98\xE1\x1D\x97\xAF\x8F\xC7\xDC\xC9\x38\x96\xF3\xDB\x1A\xFC\x51\xED\x68\xC6\xD0\x6E\xA4\x7C\x24\xD1\xAE\x42\xC8\x96\x50\x63\x2E\xE0\xFE\x75\xFE\x98\xA7\x5F\x49\x2E\x95\xE3\x39\x33\x64\x8E\x1E\xA4\x5F\x90\xD2\x67\x3C\xB2\xD9\xFE\x41\xB9\x55\xA7\x09\x8E\x72\x05\x1E\x8B\xDD\x44\x85\x82\x42\xD0\x49\xC0\x1D\x60\xF0\xD1\x17\x2C\x95\xEB\xF6\xA5\xC1\x92\xA3\xC5\xC2\xA7\x08\x60\x0D\x60\x04\x10\x96\x79\x9E\x16\x34\xE6\xA9\xB6\xFA\x25\x45\x39\xC8\x1E\x65\xF9\x93\xF5\xAA\xF1\x52\xDC\x99\x98\x3D\xA5\x86\x1A\x0C\x35\x33\xFA\x4B\xA5\x04\x06\x15\x1C\x31\x80\xEF\xAA\x18\x6B\xC2\x7B\xD7\xDA\xCE\xF9\x33\x20\xD5\xF5\xBD\x6A\x33\x2D\x81\x04\xFB\xB0\x5C\xD4\x9C\xA3\xE2\x5C\x1D\xE3\xA9\x42\x75\x5E\x7B\xD4\x77\xEF\x39\x54\xBA\xC9\x0A\x18\x1B\x12\x99\x49\x2F\x88\x4B\xFD\x50\x62\xD1\x73\xE7\x8F\x7A\x43\x02\x03\x01\x00\x01\xA3\x81\x9D\x30\x81\x9A\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAF\x44\x04\xC2\x41\x7E\x48\x83\xDB\x4E\x39\x02\xEC\xEC\x84\x7A\xE6\xCE\xC9\xA4\x30\x34\x06\x03\x55\x1D\x1F\x04\x2D\x30\x2B\x30\x29\xA0\x27\xA0\x25\x86\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x65\x63\x75\x72\x65\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x53\x47\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x63\x1A\x08\x40\x7D\xA4\x5E\x53\x0D\x77\xD8\x7A\xAE\x1F\x0D\x0B\x51\x16\x03\xEF\x18\x7C\xC8\xE3\xAF\x6A\x58\x93\x14\x60\x91\xB2\x84\xDC\x88\x4E\xBE\x39\x8A\x3A\xF3\xE6\x82\x89\x5D\x01\x37\xB3\xAB\x24\xA4\x15\x0E\x92\x35\x5A\x4A\x44\x5E\x4E\x57\xFA\x75\xCE\x1F\x48\xCE\x66\xF4\x3C\x40\x26\x92\x98\x6C\x1B\xEE\x24\x46\x0C\x17\xB3\x52\xA5\xDB\xA5\x91\x91\xCF\x37\xD3\x6F\xE7\x27\x08\x3A\x4E\x19\x1F\x3A\xA7\x58\x5C\x17\xCF\x79\x3F\x8B\xE4\xA7\xD3\x26\x23\x9D\x26\x0F\x58\x69\xFC\x47\x7E\xB2\xD0\x8D\x8B\x93\xBF\x29\x4F\x43\x69\x74\x76\x67\x4B\xCF\x07\x8C\xE6\x02\xF7\xB5\xE1\xB4\x43\xB5\x4B\x2D\x14\x9F\xF9\xDC\x26\x0D\xBF\xA6\x47\x74\x06\xD8\x88\xD1\x3A\x29\x30\x84\xCE\xD2\x39\x80\x62\x1B\xA8\xC7\x57\x49\xBC\x6A\x55\x51\x67\x15\x4A\xBE\x35\x07\xE4\xD5\x75\x98\x37\x79\x30\x14\xDB\x29\x9D\x6C\xC5\x69\xCC\x47\x55\xA2\x30\xF7\xCC\x5C\x7F\xC2\xC3\x98\x1C\x6B\x4E\x16\x80\xEB\x7A\x78\x65\x45\xA2\x00\x1A\xAF\x0C\x0D\x55\x64\x34\x48\xB8\x92\xB9\xF1\xB4\x50\x29\xF2\x4F\x23\x1F\xDA\x6C\xAC\x1F\x44\xE1\xDD\x23\x78\x51\x5B\xC7\x16",
 	["CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x1D\x30\x82\x03\x05\xA0\x03\x02\x01\x02\x02\x10\x4E\x81\x2D\x8A\x82\x65\xE0\x0B\x02\xEE\x3E\x35\x02\x46\xE5\x3D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x81\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x81\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD0\x40\x8B\x8B\x72\xE3\x91\x1B\xF7\x51\xC1\x1B\x54\x04\x98\xD3\xA9\xBF\xC1\xE6\x8A\x5D\x3B\x87\xFB\xBB\x88\xCE\x0D\xE3\x2F\x3F\x06\x96\xF0\xA2\x29\x50\x99\xAE\xDB\x3B\xA1\x57\xB0\x74\x51\x71\xCD\xED\x42\x91\x4D\x41\xFE\xA9\xC8\xD8\x6A\x86\x77\x44\xBB\x59\x66\x97\x50\x5E\xB4\xD4\x2C\x70\x44\xCF\xDA\x37\x95\x42\x69\x3C\x30\xC4\x71\xB3\x52\xF0\x21\x4D\xA1\xD8\xBA\x39\x7C\x1C\x9E\xA3\x24\x9D\xF2\x83\x16\x98\xAA\x16\x7C\x43\x9B\x15\x5B\xB7\xAE\x34\x91\xFE\xD4\x62\x26\x18\x46\x9A\x3F\xEB\xC1\xF9\xF1\x90\x57\xEB\xAC\x7A\x0D\x8B\xDB\x72\x30\x6A\x66\xD5\xE0\x46\xA3\x70\xDC\x68\xD9\xFF\x04\x48\x89\x77\xDE\xB5\xE9\xFB\x67\x6D\x41\xE9\xBC\x39\xBD\x32\xD9\x62\x02\xF1\xB1\xA8\x3D\x6E\x37\x9C\xE2\x2F\xE2\xD3\xA2\x26\x8B\xC6\xB8\x55\x43\x88\xE1\x23\x3E\xA5\xD2\x24\x39\x6A\x47\xAB\x00\xD4\xA1\xB3\xA9\x25\xFE\x0D\x3F\xA7\x1D\xBA\xD3\x51\xC1\x0B\xA4\xDA\xAC\x38\xEF\x55\x50\x24\x05\x65\x46\x93\x34\x4F\x2D\x8D\xAD\xC6\xD4\x21\x19\xD2\x8E\xCA\x05\x61\x71\x07\x73\x47\xE5\x8A\x19\x12\xBD\x04\x4D\xCE\x4E\x9C\xA5\x48\xAC\xBB\x26\xF7\x02\x03\x01\x00\x01\xA3\x81\x8E\x30\x81\x8B\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0B\x58\xE5\x8B\xC6\x4C\x15\x37\xA4\x40\xA9\x30\xA9\x21\xBE\x47\x36\x5A\x56\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x49\x06\x03\x55\x1D\x1F\x04\x42\x30\x40\x30\x3E\xA0\x3C\xA0\x3A\x86\x38\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x43\x4F\x4D\x4F\x44\x4F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3E\x98\x9E\x9B\xF6\x1B\xE9\xD7\x39\xB7\x78\xAE\x1D\x72\x18\x49\xD3\x87\xE4\x43\x82\xEB\x3F\xC9\xAA\xF5\xA8\xB5\xEF\x55\x7C\x21\x52\x65\xF9\xD5\x0D\xE1\x6C\xF4\x3E\x8C\x93\x73\x91\x2E\x02\xC4\x4E\x07\x71\x6F\xC0\x8F\x38\x61\x08\xA8\x1E\x81\x0A\xC0\x2F\x20\x2F\x41\x8B\x91\xDC\x48\x45\xBC\xF1\xC6\xDE\xBA\x76\x6B\x33\xC8\x00\x2D\x31\x46\x4C\xED\xE7\x9D\xCF\x88\x94\xFF\x33\xC0\x56\xE8\x24\x86\x26\xB8\xD8\x38\x38\xDF\x2A\x6B\xDD\x12\xCC\xC7\x3F\x47\x17\x4C\xA2\xC2\x06\x96\x09\xD6\xDB\xFE\x3F\x3C\x46\x41\xDF\x58\xE2\x56\x0F\x3C\x3B\xC1\x1C\x93\x35\xD9\x38\x52\xAC\xEE\xC8\xEC\x2E\x30\x4E\x94\x35\xB4\x24\x1F\x4B\x78\x69\xDA\xF2\x02\x38\xCC\x95\x52\x93\xF0\x70\x25\x59\x9C\x20\x67\xC4\xEE\xF9\x8B\x57\x61\xF4\x92\x76\x7D\x3F\x84\x8D\x55\xB7\xE8\xE5\xAC\xD5\xF1\xF5\x19\x56\xA6\x5A\xFB\x90\x1C\xAF\x93\xEB\xE5\x1C\xD4\x67\x97\x5D\x04\x0E\xBE\x0B\x83\xA6\x17\x83\xB9\x30\x12\xA0\xC5\x33\x15\x05\xB9\x0D\xFB\xC7\x05\x76\xE3\xD8\x4A\x8D\xFC\x34\x17\xA3\xC6\x21\x28\xBE\x30\x45\x31\x1E\xC7\x78\xBE\x58\x61\x38\xAC\x3B\xE2\x01\x65",
-	["CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US"] = "\x30\x82\x03\xE6\x30\x82\x02\xCE\xA0\x03\x02\x01\x02\x02\x10\x57\xCB\x33\x6F\xC2\x5C\x16\xE6\x47\x16\x17\xE3\x90\x31\x68\xE0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x4C\x2E\x4C\x2E\x43\x2E\x31\x30\x30\x2E\x06\x03\x55\x04\x03\x13\x27\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x4C\x2E\x4C\x2E\x43\x2E\x31\x30\x30\x2E\x06\x03\x55\x04\x03\x13\x27\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE4\xBC\x7E\x92\x30\x6D\xC6\xD8\x8E\x2B\x0B\xBC\x46\xCE\xE0\x27\x96\xDE\xDE\xF9\xFA\x12\xD3\x3C\x33\x73\xB3\x04\x2F\xBC\x71\x8C\xE5\x9F\xB6\x22\x60\x3E\x5F\x5D\xCE\x09\xFF\x82\x0C\x1B\x9A\x51\x50\x1A\x26\x89\xDD\xD5\x61\x5D\x19\xDC\x12\x0F\x2D\x0A\xA2\x43\x5D\x17\xD0\x34\x92\x20\xEA\x73\xCF\x38\x2C\x06\x26\x09\x7A\x72\xF7\xFA\x50\x32\xF8\xC2\x93\xD3\x69\xA2\x23\xCE\x41\xB1\xCC\xE4\xD5\x1F\x36\xD1\x8A\x3A\xF8\x8C\x63\xE2\x14\x59\x69\xED\x0D\xD3\x7F\x6B\xE8\xB8\x03\xE5\x4F\x6A\xE5\x98\x63\x69\x48\x05\xBE\x2E\xFF\x33\xB6\xE9\x97\x59\x69\xF8\x67\x19\xAE\x93\x61\x96\x44\x15\xD3\x72\xB0\x3F\xBC\x6A\x7D\xEC\x48\x7F\x8D\xC3\xAB\xAA\x71\x2B\x53\x69\x41\x53\x34\xB5\xB0\xB9\xC5\x06\x0A\xC4\xB0\x45\xF5\x41\x5D\x6E\x89\x45\x7B\x3D\x3B\x26\x8C\x74\xC2\xE5\xD2\xD1\x7D\xB2\x11\xD4\xFB\x58\x32\x22\x9A\x80\xC9\xDC\xFD\x0C\xE9\x7F\x5E\x03\x97\xCE\x3B\x00\x14\x87\x27\x70\x38\xA9\x8E\x6E\xB3\x27\x76\x98\x51\xE0\x05\xE3\x21\xAB\x1A\xD5\x85\x22\x3C\x29\xB5\x9A\x16\xC5\x80\xA8\xF4\xBB\x6B\x30\x8F\x2F\x46\x02\xA2\xB1\x0C\x22\xE0\xD3\x02\x03\x01\x00\x01\xA3\x81\x97\x30\x81\x94\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x21\x30\xC9\xFB\x00\xD7\x4E\x98\xDA\x87\xAA\x2A\xD0\xA7\x2E\xB1\x40\x31\xA7\x4C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x52\x06\x03\x55\x1D\x1F\x04\x4B\x30\x49\x30\x47\xA0\x45\xA0\x43\x86\x41\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x6E\x65\x74\x73\x6F\x6C\x73\x73\x6C\x2E\x63\x6F\x6D\x2F\x4E\x65\x74\x77\x6F\x72\x6B\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xBB\xAE\x4B\xE7\xB7\x57\xEB\x7F\xAA\x2D\xB7\x73\x47\x85\x6A\xC1\xE4\xA5\x1D\xE4\xE7\x3C\xE9\xF4\x59\x65\x77\xB5\x7A\x5B\x5A\x8D\x25\x36\xE0\x7A\x97\x2E\x38\xC0\x57\x60\x83\x98\x06\x83\x9F\xB9\x76\x7A\x6E\x50\xE0\xBA\x88\x2C\xFC\x45\xCC\x18\xB0\x99\x95\x51\x0E\xEC\x1D\xB8\x88\xFF\x87\x50\x1C\x82\xC2\xE3\xE0\x32\x80\xBF\xA0\x0B\x47\xC8\xC3\x31\xEF\x99\x67\x32\x80\x4F\x17\x21\x79\x0C\x69\x5C\xDE\x5E\x34\xAE\x02\xB5\x26\xEA\x50\xDF\x7F\x18\x65\x2C\xC9\xF2\x63\xE1\xA9\x07\xFE\x7C\x71\x1F\x6B\x33\x24\x6A\x1E\x05\xF7\x05\x68\xC0\x6A\x12\xCB\x2E\x5E\x61\xCB\xAE\x28\xD3\x7E\xC2\xB4\x66\x91\x26\x5F\x3C\x2E\x24\x5F\xCB\x58\x0F\xEB\x28\xEC\xAF\x11\x96\xF3\xDC\x7B\x6F\xC0\xA7\x88\xF2\x53\x77\xB3\x60\x5E\xAE\xAE\x28\xDA\x35\x2C\x6F\x34\x45\xD3\x26\xE1\xDE\xEC\x5B\x4F\x27\x6B\x16\x7C\xBD\x44\x04\x18\x82\xB3\x89\x79\x17\x10\x71\x3D\x7A\xA2\x16\x4E\xF5\x01\xCD\xA4\x6C\x65\x68\xA1\x49\x76\x5C\x43\xC9\xD8\xBC\x36\x67\x6C\xA5\x94\xB5\xD4\xCC\xB9\xBD\x6A\x35\x56\x21\xDE\xD8\xC3\xEB\xFB\xCB\xA4\x60\x4C\xB0\x55\xA0\xA0\x7B\x57\xB2",
 	["CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x02\x89\x30\x82\x02\x0F\xA0\x03\x02\x01\x02\x02\x10\x1F\x47\xAF\xAA\x62\x00\x70\x50\x54\x4C\x01\x9E\x9B\x63\x99\x2A\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x33\x30\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x03\x47\x7B\x2F\x75\xC9\x82\x15\x85\xFB\x75\xE4\x91\x16\xD4\xAB\x62\x99\xF5\x3E\x52\x0B\x06\xCE\x41\x00\x7F\x97\xE1\x0A\x24\x3C\x1D\x01\x04\xEE\x3D\xD2\x8D\x09\x97\x0C\xE0\x75\xE4\xFA\xFB\x77\x8A\x2A\xF5\x03\x60\x4B\x36\x8B\x16\x23\x16\xAD\x09\x71\xF4\x4A\xF4\x28\x50\xB4\xFE\x88\x1C\x6E\x3F\x6C\x2F\x2F\x09\x59\x5B\xA5\x5B\x0B\x33\x99\xE2\xC3\x3D\x89\xF9\x6A\x2C\xEF\xB2\xD3\x06\xE9\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x75\x71\xA7\x19\x48\x19\xBC\x9D\x9D\xEA\x41\x47\xDF\x94\xC4\x48\x77\x99\xD3\x79\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xEF\x03\x5B\x7A\xAC\xB7\x78\x0A\x72\xB7\x88\xDF\xFF\xB5\x46\x14\x09\x0A\xFA\xA0\xE6\x7D\x08\xC6\x1A\x87\xBD\x18\xA8\x73\xBD\x26\xCA\x60\x0C\x9D\xCE\x99\x9F\xCF\x5C\x0F\x30\xE1\xBE\x14\x31\xEA\x02\x30\x14\xF4\x93\x3C\x49\xA7\x33\x7A\x90\x46\x47\xB3\x63\x7D\x13\x9B\x4E\xB7\x6F\x18\x37\x80\x53\xFE\xDD\x20\xE0\x35\x9A\x36\xD1\xC7\x01\xB9\xE6\xDC\xDD\xF3\xFF\x1D\x2C\x3A\x16\x57\xD9\x92\x39\xD6",
 	["CN=Certigna,O=Dhimyotis,C=FR"] = "\x30\x82\x03\xA8\x30\x82\x02\x90\xA0\x03\x02\x01\x02\x02\x09\x00\xFE\xDC\xE3\x01\x0F\xC9\x48\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x30\x1E\x17\x0D\x30\x37\x30\x36\x32\x39\x31\x35\x31\x33\x30\x35\x5A\x17\x0D\x32\x37\x30\x36\x32\x39\x31\x35\x31\x33\x30\x35\x5A\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC8\x68\xF1\xC9\xD6\xD6\xB3\x34\x75\x26\x82\x1E\xEC\xB4\xBE\xEA\x5C\xE1\x26\xED\x11\x47\x61\xE1\xA2\x7C\x16\x78\x40\x21\xE4\x60\x9E\x5A\xC8\x63\xE1\xC4\xB1\x96\x92\xFF\x18\x6D\x69\x23\xE1\x2B\x62\xF7\xDD\xE2\x36\x2F\x91\x07\xB9\x48\xCF\x0E\xEC\x79\xB6\x2C\xE7\x34\x4B\x70\x08\x25\xA3\x3C\x87\x1B\x19\xF2\x81\x07\x0F\x38\x90\x19\xD3\x11\xFE\x86\xB4\xF2\xD1\x5E\x1E\x1E\x96\xCD\x80\x6C\xCE\x3B\x31\x93\xB6\xF2\xA0\xD0\xA9\x95\x12\x7D\xA5\x9A\xCC\x6B\xC8\x84\x56\x8A\x33\xA9\xE7\x22\x15\x53\x16\xF0\xCC\x17\xEC\x57\x5F\xE9\xA2\x0A\x98\x09\xDE\xE3\x5F\x9C\x6F\xDC\x48\xE3\x85\x0B\x15\x5A\xA6\xBA\x9F\xAC\x48\xE3\x09\xB2\xF7\xF4\x32\xDE\x5E\x34\xBE\x1C\x78\x5D\x42\x5B\xCE\x0E\x22\x8F\x4D\x90\xD7\x7D\x32\x18\xB3\x0B\x2C\x6A\xBF\x8E\x3F\x14\x11\x89\x20\x0E\x77\x14\xB5\x3D\x94\x08\x87\xF7\x25\x1E\xD5\xB2\x60\x00\xEC\x6F\x2A\x28\x25\x6E\x2A\x3E\x18\x63\x17\x25\x3F\x3E\x44\x20\x16\xF6\x26\xC8\x25\xAE\x05\x4A\xB4\xE7\x63\x2C\xF3\x8C\x16\x53\x7E\x5C\xFB\x11\x1A\x08\xC1\x46\x62\x9F\x22\xB8\xF1\xC2\x8D\x69\xDC\xFA\x3A\x58\x06\xDF\x02\x03\x01\x00\x01\xA3\x81\xBC\x30\x81\xB9\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1A\xED\xFE\x41\x39\x90\xB4\x24\x59\xBE\x01\xF2\x52\xD5\x45\xF6\x5A\x39\xDC\x11\x30\x64\x06\x03\x55\x1D\x23\x04\x5D\x30\x5B\x80\x14\x1A\xED\xFE\x41\x39\x90\xB4\x24\x59\xBE\x01\xF2\x52\xD5\x45\xF6\x5A\x39\xDC\x11\xA1\x38\xA4\x36\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x82\x09\x00\xFE\xDC\xE3\x01\x0F\xC9\x48\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x85\x03\x1E\x92\x71\xF6\x42\xAF\xE1\xA3\x61\x9E\xEB\xF3\xC0\x0F\xF2\xA5\xD4\xDA\x95\xE6\xD6\xBE\x68\x36\x3D\x7E\x6E\x1F\x4C\x8A\xEF\xD1\x0F\x21\x6D\x5E\xA5\x52\x63\xCE\x12\xF8\xEF\x2A\xDA\x6F\xEB\x37\xFE\x13\x02\xC7\xCB\x3B\x3E\x22\x6B\xDA\x61\x2E\x7F\xD4\x72\x3D\xDD\x30\xE1\x1E\x4C\x40\x19\x8C\x0F\xD7\x9C\xD1\x83\x30\x7B\x98\x59\xDC\x7D\xC6\xB9\x0C\x29\x4C\xA1\x33\xA2\xEB\x67\x3A\x65\x84\xD3\x96\xE2\xED\x76\x45\x70\x8F\xB5\x2B\xDE\xF9\x23\xD6\x49\x6E\x3C\x14\xB5\xC6\x9F\x35\x1E\x50\xD0\xC1\x8F\x6A\x70\x44\x02\x62\xCB\xAE\x1D\x68\x41\xA7\xAA\x57\xE8\x53\xAA\x07\xD2\x06\xF6\xD5\x14\x06\x0B\x91\x03\x75\x2C\x6C\x72\xB5\x61\x95\x9A\x0D\x8B\xB9\x0D\xE7\xF5\xDF\x54\xCD\xDE\xE6\xD8\xD6\x09\x08\x97\x63\xE5\xC1\x2E\xB0\xB7\x44\x26\xC0\x26\xC0\xAF\x55\x30\x9E\x3B\xD5\x36\x2A\x19\x04\xF4\x5C\x1E\xFF\xCF\x2C\xB7\xFF\xD0\xFD\x87\x40\x11\xD5\x11\x23\xBB\x48\xC0\x21\xA9\xA4\x28\x2D\xFD\x15\xF8\xB0\x4E\x2B\xF4\x30\x5B\x21\xFC\x11\x91\x34\xBE\x41\xEF\x7B\x9D\x97\x75\xFF\x97\x95\xC0\x96\x58\x2F\xEA\xBB\x46\xD7\xBB\xE4\xD9\x2E",
 	["OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co.\, Ltd.,C=TW"] = "\x30\x82\x05\xB0\x30\x82\x03\x98\xA0\x03\x02\x01\x02\x02\x10\x15\xC8\xBD\x65\x47\x5C\xAF\xB8\x97\x00\x5E\xE4\x06\xD2\xBC\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x43\x68\x75\x6E\x67\x68\x77\x61\x20\x54\x65\x6C\x65\x63\x6F\x6D\x20\x43\x6F\x2E\x2C\x20\x4C\x74\x64\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x0C\x21\x65\x50\x4B\x49\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x31\x32\x32\x30\x30\x32\x33\x31\x32\x37\x5A\x17\x0D\x33\x34\x31\x32\x32\x30\x30\x32\x33\x31\x32\x37\x5A\x30\x5E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x43\x68\x75\x6E\x67\x68\x77\x61\x20\x54\x65\x6C\x65\x63\x6F\x6D\x20\x43\x6F\x2E\x2C\x20\x4C\x74\x64\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x0C\x21\x65\x50\x4B\x49\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xE1\x25\x0F\xEE\x8D\xDB\x88\x33\x75\x67\xCD\xAD\x1F\x7D\x3A\x4E\x6D\x9D\xD3\x2F\x14\xF3\x63\x74\xCB\x01\x21\x6A\x37\xEA\x84\x50\x07\x4B\x26\x5B\x09\x43\x6C\x21\x9E\x6A\xC8\xD5\x03\xF5\x60\x69\x8F\xCC\xF0\x22\xE4\x1F\xE7\xF7\x6A\x22\x31\xB7\x2C\x15\xF2\xE0\xFE\x00\x6A\x43\xFF\x87\x65\xC6\xB5\x1A\xC1\xA7\x4C\x6D\x22\x70\x21\x8A\x31\xF2\x97\x74\x89\x09\x12\x26\x1C\x9E\xCA\xD9\x12\xA2\x95\x3C\xDA\xE9\x67\xBF\x08\xA0\x64\xE3\xD6\x42\xB7\x45\xEF\x97\xF4\xF6\xF5\xD7\xB5\x4A\x15\x02\x58\x7D\x98\x58\x4B\x60\xBC\xCD\xD7\x0D\x9A\x13\x33\x53\xD1\x61\xF9\x7A\xD5\xD7\x78\xB3\x9A\x33\xF7\x00\x86\xCE\x1D\x4D\x94\x38\xAF\xA8\xEC\x78\x51\x70\x8A\x5C\x10\x83\x51\x21\xF7\x11\x3D\x34\x86\x5E\xE5\x48\xCD\x97\x81\x82\x35\x4C\x19\xEC\x65\xF6\x6B\xC5\x05\xA1\xEE\x47\x13\xD6\xB3\x21\x27\x94\x10\x0A\xD9\x24\x3B\xBA\xBE\x44\x13\x46\x30\x3F\x97\x3C\xD8\xD7\xD7\x6A\xEE\x3B\x38\xE3\x2B\xD4\x97\x0E\xB9\x1B\xE7\x07\x49\x7F\x37\x2A\xF9\x77\x78\xCF\x54\xED\x5B\x46\x9D\xA3\x80\x0E\x91\x43\xC1\xD6\x5B\x5F\x14\xBA\x9F\xA6\x8D\x24\x47\x40\x59\xBF\x72\x38\xB2\x36\x6C\x37\xFF\x99\xD1\x5D\x0E\x59\x0A\xAB\x69\xF7\xC0\xB2\x04\x45\x7A\x54\x00\xAE\xBE\x53\xF6\xB5\xE7\xE1\xF8\x3C\xA3\x31\xD2\xA9\xFE\x21\x52\x64\xC5\xA6\x67\xF0\x75\x07\x06\x94\x14\x81\x55\xC6\x27\xE4\x01\x8F\x17\xC1\x6A\x71\xD7\xBE\x4B\xFB\x94\x58\x7D\x7E\x11\x33\xB1\x42\xF7\x62\x6C\x18\xD6\xCF\x09\x68\x3E\x7F\x6C\xF6\x1E\x8F\x62\xAD\xA5\x63\xDB\x09\xA7\x1F\x22\x42\x41\x1E\x6F\x99\x8A\x3E\xD7\xF9\x3F\x40\x7A\x79\xB0\xA5\x01\x92\xD2\x9D\x3D\x08\x15\xA5\x10\x01\x2D\xB3\x32\x76\xA8\x95\x0D\xB3\x7A\x9A\xFB\x07\x10\x78\x11\x6F\xE1\x8F\xC7\xBA\x0F\x25\x1A\x74\x2A\xE5\x1C\x98\x41\x99\xDF\x21\x87\xE8\x95\x06\x6A\x0A\xB3\x6A\x47\x76\x65\xF6\x3A\xCF\x8F\x62\x17\x19\x7B\x0A\x28\xCD\x1A\xD2\x83\x1E\x21\xC7\x2C\xBF\xBE\xFF\x61\x68\xB7\x67\x1B\xBB\x78\x4D\x8D\xCE\x67\xE5\xE4\xC1\x8E\xB7\x23\x66\xE2\x9D\x90\x75\x34\x98\xA9\x36\x2B\x8A\x9A\x94\xB9\x9D\xEC\xCC\x8A\xB1\xF8\x25\x89\x5C\x5A\xB6\x2F\x8C\x1F\x6D\x79\x24\xA7\x52\x68\xC3\x84\x35\xE2\x66\x8D\x63\x0E\x25\x4D\xD5\x19\xB2\xE6\x79\x37\xA7\x22\x9D\x54\x31\x02\x03\x01\x00\x01\xA3\x6A\x30\x68\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1E\x0C\xF7\xB6\x67\xF2\xE1\x92\x26\x09\x45\xC0\x55\x39\x2E\x77\x3F\x42\x4A\xA2\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x04\x67\x2A\x07\x00\x04\x31\x30\x2F\x30\x2D\x02\x01\x00\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x30\x07\x06\x05\x67\x2A\x03\x00\x00\x04\x14\x45\xB0\xC2\xC7\x0A\x56\x7C\xEE\x5B\x78\x0C\x95\xF9\x18\x53\xC1\xA6\x1C\xD8\x10\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x09\xB3\x83\x53\x59\x01\x3E\x95\x49\xB9\xF1\x81\xBA\xF9\x76\x20\x23\xB5\x27\x60\x74\xD4\x6A\x99\x34\x5E\x6C\x00\x53\xD9\x9F\xF2\xA6\xB1\x24\x07\x44\x6A\x2A\xC6\xA5\x8E\x78\x12\xE8\x47\xD9\x58\x1B\x13\x2A\x5E\x79\x9B\x9F\x0A\x2A\x67\xA6\x25\x3F\x06\x69\x56\x73\xC3\x8A\x66\x48\xFB\x29\x81\x57\x74\x06\xCA\x9C\xEA\x28\xE8\x38\x67\x26\x2B\xF1\xD5\xB5\x3F\x65\x93\xF8\x36\x5D\x8E\x8D\x8D\x40\x20\x87\x19\xEA\xEF\x27\xC0\x3D\xB4\x39\x0F\x25\x7B\x68\x50\x74\x55\x9C\x0C\x59\x7D\x5A\x3D\x41\x94\x25\x52\x08\xE0\x47\x2C\x15\x31\x19\xD5\xBF\x07\x55\xC6\xBB\x12\xB5\x97\xF4\x5F\x83\x85\xBA\x71\xC1\xD9\x6C\x81\x11\x76\x0A\x0A\xB0\xBF\x82\x97\xF7\xEA\x3D\xFA\xFA\xEC\x2D\xA9\x28\x94\x3B\x56\xDD\xD2\x51\x2E\xAE\xC0\xBD\x08\x15\x8C\x77\x52\x34\x96\xD6\x9B\xAC\xD3\x1D\x8E\x61\x0F\x35\x7B\x9B\xAE\x39\x69\x0B\x62\x60\x40\x20\x36\x8F\xAF\xFB\x36\xEE\x2D\x08\x4A\x1D\xB8\xBF\x9B\x5C\xF8\xEA\xA5\x1B\xA0\x73\xA6\xD8\xF8\x6E\xE0\x33\x04\x5F\x68\xAA\x27\x87\xED\xD9\xC1\x90\x9C\xED\xBD\xE3\x6A\x35\xAF\x63\xDF\xAB\x18\xD9\xBA\xE6\xE9\x4A\xEA\x50\x8A\x0F\x61\x93\x1E\xE2\x2D\x19\xE2\x30\x94\x35\x92\x5D\x0E\xB6\x07\xAF\x19\x80\x8F\x47\x90\x51\x4B\x2E\x4D\xDD\x85\xE2\xD2\x0A\x52\x0A\x17\x9A\xFC\x1A\xB0\x50\x02\xE5\x01\xA3\x63\x37\x21\x4C\x44\xC4\x9B\x51\x99\x11\x0E\x73\x9C\x06\x8F\x54\x2E\xA7\x28\x5E\x44\x39\x87\x56\x2D\x37\xBD\x85\x44\x94\xE1\x0C\x4B\x2C\x9C\xC3\x92\x85\x34\x61\xCB\x0F\xB8\x9B\x4A\x43\x52\xFE\x34\x3A\x7D\xB8\xE9\x29\xDC\x76\xA9\xC8\x30\xF8\x14\x71\x80\xC6\x1E\x36\x48\x74\x22\x41\x5C\x87\x82\xE8\x18\x71\x8B\x41\x89\x44\xE7\x7E\x58\x5B\xA8\xB8\x8D\x13\xE9\xA7\x6C\xC3\x47\xED\xB3\x1A\x9D\x62\xAE\x8D\x82\xEA\x94\x9E\xDD\x59\x10\xC3\xAD\xDD\xE2\x4D\xE3\x31\xD5\xC7\xEC\xE8\xF2\xB0\xFE\x92\x1E\x16\x0A\x1A\xFC\xD9\xF3\xF8\x27\xB6\xC9\xBE\x1D\xB4\x6C\x64\x90\x7F\xF4\xE4\xC4\x5B\xD7\x37\xAE\x42\x0E\xDD\xA4\x1A\x6F\x7C\x88\x54\xC5\x16\x6E\xE1\x7A\x68\x2E\xF8\x3A\xBF\x0D\xA4\x3C\x89\x3B\x78\xA7\x4E\x63\x83\x04\x21\x08\x67\x8D\xF2\x82\x49\xD0\x5B\xFD\xB1\xCD\x0F\x83\x84\xD4\x3E\x20\x85\xF7\x4A\x3D\x2B\x9C\xFD\x2A\x0A\x09\x4D\xEA\x81\xF8\x11\x9C",
@@ -52,8 +51,6 @@ redef root_certs += {
 	["CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL"] = "\x30\x82\x03\xBB\x30\x82\x02\xA3\xA0\x03\x02\x01\x02\x02\x03\x04\x44\xC0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x30\x1E\x17\x0D\x30\x38\x31\x30\x32\x32\x31\x32\x30\x37\x33\x37\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x32\x30\x37\x33\x37\x5A\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE3\xFB\x7D\xA3\x72\xBA\xC2\xF0\xC9\x14\x87\xF5\x6B\x01\x4E\xE1\x6E\x40\x07\xBA\x6D\x27\x5D\x7F\xF7\x5B\x2D\xB3\x5A\xC7\x51\x5F\xAB\xA4\x32\xA6\x61\x87\xB6\x6E\x0F\x86\xD2\x30\x02\x97\xF8\xD7\x69\x57\xA1\x18\x39\x5D\x6A\x64\x79\xC6\x01\x59\xAC\x3C\x31\x4A\x38\x7C\xD2\x04\xD2\x4B\x28\xE8\x20\x5F\x3B\x07\xA2\xCC\x4D\x73\xDB\xF3\xAE\x4F\xC7\x56\xD5\x5A\xA7\x96\x89\xFA\xF3\xAB\x68\xD4\x23\x86\x59\x27\xCF\x09\x27\xBC\xAC\x6E\x72\x83\x1C\x30\x72\xDF\xE0\xA2\xE9\xD2\xE1\x74\x75\x19\xBD\x2A\x9E\x7B\x15\x54\x04\x1B\xD7\x43\x39\xAD\x55\x28\xC5\xE2\x1A\xBB\xF4\xC0\xE4\xAE\x38\x49\x33\xCC\x76\x85\x9F\x39\x45\xD2\xA4\x9E\xF2\x12\x8C\x51\xF8\x7C\xE4\x2D\x7F\xF5\xAC\x5F\xEB\x16\x9F\xB1\x2D\xD1\xBA\xCC\x91\x42\x77\x4C\x25\xC9\x90\x38\x6F\xDB\xF0\xCC\xFB\x8E\x1E\x97\x59\x3E\xD5\x60\x4E\xE6\x05\x28\xED\x49\x79\x13\x4B\xBA\x48\xDB\x2F\xF9\x72\xD3\x39\xCA\xFE\x1F\xD8\x34\x72\xF5\xB4\x40\xCF\x31\x01\xC3\xEC\xDE\x11\x2D\x17\x5D\x1F\xB8\x50\xD1\x5E\x19\xA7\x69\xDE\x07\x33\x28\xCA\x50\x95\xF9\xA7\x54\xCB\x54\x86\x50\x45\xA9\xF9\x49\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x08\x76\xCD\xCB\x07\xFF\x24\xF6\xC5\xCD\xED\xBB\x90\xBC\xE2\x84\x37\x46\x75\xF7\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA6\xA8\xAD\x22\xCE\x01\x3D\xA6\xA3\xFF\x62\xD0\x48\x9D\x8B\x5E\x72\xB0\x78\x44\xE3\xDC\x1C\xAF\x09\xFD\x23\x48\xFA\xBD\x2A\xC4\xB9\x55\x04\xB5\x10\xA3\x8D\x27\xDE\x0B\x82\x63\xD0\xEE\xDE\x0C\x37\x79\x41\x5B\x22\xB2\xB0\x9A\x41\x5C\xA6\x70\xE0\xD4\xD0\x77\xCB\x23\xD3\x00\xE0\x6C\x56\x2F\xE1\x69\x0D\x0D\xD9\xAA\xBF\x21\x81\x50\xD9\x06\xA5\xA8\xFF\x95\x37\xD0\xAA\xFE\xE2\xB3\xF5\x99\x2D\x45\x84\x8A\xE5\x42\x09\xD7\x74\x02\x2F\xF7\x89\xD8\x99\xE9\xBC\x27\xD4\x47\x8D\xBA\x0D\x46\x1C\x77\xCF\x14\xA4\x1C\xB9\xA4\x31\xC4\x9C\x28\x74\x03\x34\xFF\x33\x19\x26\xA5\xE9\x0D\x74\xB7\x3E\x97\xC6\x76\xE8\x27\x96\xA3\x66\xDD\xE1\xAE\xF2\x41\x5B\xCA\x98\x56\x83\x73\x70\xE4\x86\x1A\xD2\x31\x41\xBA\x2F\xBE\x2D\x13\x5A\x76\x6F\x4E\xE8\x4E\x81\x0E\x3F\x5B\x03\x22\xA0\x12\xBE\x66\x58\x11\x4A\xCB\x03\xC4\xB4\x2A\x2A\x2D\x96\x17\xE0\x39\x54\xBC\x48\xD3\x76\x27\x9D\x9A\x2D\x06\xA6\xC9\xEC\x39\xD2\xAB\xDB\x9F\x9A\x0B\x27\x02\x35\x29\xB1\x40\x95\xE7\xF9\xE8\x9C\x55\x88\x19\x46\xD6\xB7\x34\xF5\x7E\xCE\x39\x9A\xD9\x38\xF1\x51\xF7\x4F\x2C",
 	["CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW"] = "\x30\x82\x03\x7B\x30\x82\x02\x63\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x54\x57\x43\x41\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x38\x32\x38\x30\x37\x32\x34\x33\x33\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x31\x35\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x54\x57\x43\x41\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB0\x7E\x72\xB8\xA4\x03\x94\xE6\xA7\xDE\x09\x38\x91\x4A\x11\x40\x87\xA7\x7C\x59\x64\x14\x7B\xB5\x11\x10\xDD\xFE\xBF\xD5\xC0\xBB\x56\xE2\x85\x25\xF4\x35\x72\x0F\xF8\x53\xD0\x41\xE1\x44\x01\xC2\xB4\x1C\xC3\x31\x42\x16\x47\x85\x33\x22\x76\xB2\x0A\x6F\x0F\xE5\x25\x50\x4F\x85\x86\xBE\xBF\x98\x2E\x10\x67\x1E\xBE\x11\x05\x86\x05\x90\xC4\x59\xD0\x7C\x78\x10\xB0\x80\x5C\xB7\xE1\xC7\x2B\x75\xCB\x7C\x9F\xAE\xB5\xD1\x9D\x23\x37\x63\xA7\xDC\x42\xA2\x2D\x92\x04\x1B\x50\xC1\x7B\xB8\x3E\x1B\xC9\x56\x04\x8B\x2F\x52\x9B\xAD\xA9\x56\xE9\xC1\xFF\xAD\xA9\x58\x87\x30\xB6\x81\xF7\x97\x45\xFC\x19\x57\x3B\x2B\x6F\xE4\x47\xF4\x99\x45\xFE\x1D\xF1\xF8\x97\xA3\x88\x1D\x37\x1C\x5C\x8F\xE0\x76\x25\x9A\x50\xF8\xA0\x54\xFF\x44\x90\x76\x23\xD2\x32\xC6\xC3\xAB\x06\xBF\xFC\xFB\xBF\xF3\xAD\x7D\x92\x62\x02\x5B\x29\xD3\x35\xA3\x93\x9A\x43\x64\x60\x5D\xB2\xFA\x32\xFF\x3B\x04\xAF\x4D\x40\x6A\xF9\xC7\xE3\xEF\x23\xFD\x6B\xCB\xE5\x0F\x8B\x38\x0D\xEE\x0A\xFC\xFE\x0F\x98\x9F\x30\x31\xDD\x6C\x52\x65\xF9\x8B\x81\xBE\x22\xE1\x1C\x58\x03\xBA\x91\x1B\x89\x07\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x6A\x38\x5B\x26\x8D\xDE\x8B\x5A\xF2\x4F\x7A\x54\x83\x19\x18\xE3\x08\x35\xA6\xBA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3C\xD5\x77\x3D\xDA\xDF\x89\xBA\x87\x0C\x08\x54\x6A\x20\x50\x92\xBE\xB0\x41\x3D\xB9\x26\x64\x83\x0A\x2F\xE8\x40\xC0\x97\x28\x27\x82\x30\x4A\xC9\x93\xFF\x6A\xE7\xA6\x00\x7F\x89\x42\x9A\xD6\x11\xE5\x53\xCE\x2F\xCC\xF2\xDA\x05\xC4\xFE\xE2\x50\xC4\x3A\x86\x7D\xCC\xDA\x7E\x10\x09\x3B\x92\x35\x2A\x53\xB2\xFE\xEB\x2B\x05\xD9\x6C\x5D\xE6\xD0\xEF\xD3\x6A\x66\x9E\x15\x28\x85\x7A\xE8\x82\x00\xAC\x1E\xA7\x09\x69\x56\x42\xD3\x68\x51\x18\xBE\x54\x9A\xBF\x44\x41\xBA\x49\xBE\x20\xBA\x69\x5C\xEE\xB8\x77\xCD\xCE\x6C\x1F\xAD\x83\x96\x18\x7D\x0E\xB5\x14\x39\x84\xF1\x28\xE9\x2D\xA3\x9E\x7B\x1E\x7A\x72\x5A\x83\xB3\x79\x6F\xEF\xB4\xFC\xD0\x0A\xA5\x58\x4F\x46\xDF\xFB\x6D\x79\x59\xF2\x84\x22\x52\xAE\x0F\xCC\xFB\x7C\x3B\xE7\x6A\xCA\x47\x61\xC3\x7A\xF8\xD3\x92\x04\x1F\xB8\x20\x84\xE1\x36\x54\x16\xC7\x40\xDE\x3B\x8A\x73\xDC\xDF\xC6\x09\x4C\xDF\xEC\xDA\xFF\xD4\x53\x42\xA1\xC9\xF2\x62\x1D\x22\x83\x3C\x97\xC5\xF9\x19\x62\x27\xAC\x65\x22\xD7\xD3\x3C\xC6\xE5\x8E\xB2\x53\xCC\x49\xCE\xBC\x30\xFE\x7B\x0E\x33\x90\xFB\xED\xD2\x14\x91\x1F\x07\xAF",
 	["OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP"] = "\x30\x82\x03\x77\x30\x82\x02\x5F\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x32\x30\x1E\x17\x0D\x30\x39\x30\x35\x32\x39\x30\x35\x30\x30\x33\x39\x5A\x17\x0D\x32\x39\x30\x35\x32\x39\x30\x35\x30\x30\x33\x39\x5A\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD0\x15\x39\x52\xB1\x52\xB3\xBA\xC5\x59\x82\xC4\x5D\x52\xAE\x3A\x43\x65\x80\x4B\xC7\xF2\x96\xBC\xDB\x36\x97\xD6\xA6\x64\x8C\xA8\x5E\xF0\xE3\x0A\x1C\xF7\xDF\x97\x3D\x4B\xAE\xF6\x5D\xEC\x21\xB5\x41\xAB\xCD\xB9\x7E\x76\x9F\xBE\xF9\x3E\x36\x34\xA0\x3B\xC1\xF6\x31\x11\x45\x74\x93\x3D\x57\x80\xC5\xF9\x89\x99\xCA\xE5\xAB\x6A\xD4\xB5\xDA\x41\x90\x10\xC1\xD6\xD6\x42\x89\xC2\xBF\xF4\x38\x12\x95\x4C\x54\x05\xF7\x36\xE4\x45\x83\x7B\x14\x65\xD6\xDC\x0C\x4D\xD1\xDE\x7E\x0C\xAB\x3B\xC4\x15\xBE\x3A\x56\xA6\x5A\x6F\x76\x69\x52\xA9\x7A\xB9\xC8\xEB\x6A\x9A\x5D\x52\xD0\x2D\x0A\x6B\x35\x16\x09\x10\x84\xD0\x6A\xCA\x3A\x06\x00\x37\x47\xE4\x7E\x57\x4F\x3F\x8B\xEB\x67\xB8\x88\xAA\xC5\xBE\x53\x55\xB2\x91\xC4\x7D\xB9\xB0\x85\x19\x06\x78\x2E\xDB\x61\x1A\xFA\x85\xF5\x4A\x91\xA1\xE7\x16\xD5\x8E\xA2\x39\xDF\x94\xB8\x70\x1F\x28\x3F\x8B\xFC\x40\x5E\x63\x83\x3C\x83\x2A\x1A\x99\x6B\xCF\xDE\x59\x6A\x3B\xFC\x6F\x16\xD7\x1F\xFD\x4A\x10\xEB\x4E\x82\x16\x3A\xAC\x27\x0C\x53\xF1\xAD\xD5\x24\xB0\x6B\x03\x50\xC1\x2D\x3C\x16\xDD\x44\x34\x27\x1A\x75\xFB\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0A\x85\xA9\x77\x65\x05\x98\x7C\x40\x81\xF8\x0F\x97\x2C\x38\xF1\x0A\xEC\x3C\xCF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x4C\x3A\xA3\x44\xAC\xB9\x45\xB1\xC7\x93\x7E\xC8\x0B\x0A\x42\xDF\x64\xEA\x1C\xEE\x59\x6C\x08\xBA\x89\x5F\x6A\xCA\x4A\x95\x9E\x7A\x8F\x07\xC5\xDA\x45\x72\x82\x71\x0E\x3A\xD2\xCC\x6F\xA7\xB4\xA1\x23\xBB\xF6\x24\x9F\xCB\x17\xFE\x8C\xA6\xCE\xC2\xD2\xDB\xCC\x8D\xFC\x71\xFC\x03\x29\xC1\x6C\x5D\x33\x5F\x64\xB6\x65\x3B\x89\x6F\x18\x76\x78\xF5\xDC\xA2\x48\x1F\x19\x3F\x8E\x93\xEB\xF1\xFA\x17\xEE\xCD\x4E\xE3\x04\x12\x55\xD6\xE5\xE4\xDD\xFB\x3E\x05\x7C\xE2\x1D\x5E\xC6\xA7\xBC\x97\x4F\x68\x3A\xF5\xE9\x2E\x0A\x43\xB6\xAF\x57\x5C\x62\x68\x7C\xB7\xFD\xA3\x8A\x84\xA0\xAC\x62\xBE\x2B\x09\x87\x34\xF0\x6A\x01\xBB\x9B\x29\x56\x3C\xFE\x00\x37\xCF\x23\x6C\xF1\x4E\xAA\xB6\x74\x46\x12\x6C\x91\xEE\x34\xD5\xEC\x9A\x91\xE7\x44\xBE\x90\x31\x72\xD5\x49\x02\xF6\x02\xE5\xF4\x1F\xEB\x7C\xD9\x96\x55\xA9\xFF\xEC\x8A\xF9\x99\x47\xFF\x35\x5A\x02\xAA\x04\xCB\x8A\x5B\x87\x71\x29\x91\xBD\xA4\xB4\x7A\x0D\xBD\x9A\xF5\x57\x23\x00\x07\x21\x17\x3F\x4A\x39\xD1\x05\x49\x0B\xA7\xB6\x37\x81\xA5\x5D\x8C\xAA\x33\x5E\x81\x28\x7C\xA7\x7D\x27\xEB\x00\xAE\x8D\x37",
-	["CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES"] = "\x30\x82\x05\x56\x30\x82\x04\x3E\xA0\x03\x02\x01\x02\x02\x10\xEE\x2B\x3D\xEB\xD4\x21\xDE\x14\xA8\x62\xAC\x04\xF3\xDD\xC4\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xF3\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x3B\x30\x39\x06\x03\x55\x04\x0A\x13\x32\x41\x67\x65\x6E\x63\x69\x61\x20\x43\x61\x74\x61\x6C\x61\x6E\x61\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x28\x4E\x49\x46\x20\x51\x2D\x30\x38\x30\x31\x31\x37\x36\x2D\x49\x29\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x72\x76\x65\x69\x73\x20\x50\x75\x62\x6C\x69\x63\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x65\x67\x65\x75\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x20\x28\x63\x29\x30\x33\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x4A\x65\x72\x61\x72\x71\x75\x69\x61\x20\x45\x6E\x74\x69\x74\x61\x74\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x43\x61\x74\x61\x6C\x61\x6E\x65\x73\x31\x0F\x30\x0D\x06\x03\x55\x04\x03\x13\x06\x45\x43\x2D\x41\x43\x43\x30\x1E\x17\x0D\x30\x33\x30\x31\x30\x37\x32\x33\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x30\x31\x30\x37\x32\x32\x35\x39\x35\x39\x5A\x30\x81\xF3\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x3B\x30\x39\x06\x03\x55\x04\x0A\x13\x32\x41\x67\x65\x6E\x63\x69\x61\x20\x43\x61\x74\x61\x6C\x61\x6E\x61\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x28\x4E\x49\x46\x20\x51\x2D\x30\x38\x30\x31\x31\x37\x36\x2D\x49\x29\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x72\x76\x65\x69\x73\x20\x50\x75\x62\x6C\x69\x63\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x65\x67\x65\x75\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x20\x28\x63\x29\x30\x33\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x4A\x65\x72\x61\x72\x71\x75\x69\x61\x20\x45\x6E\x74\x69\x74\x61\x74\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x43\x61\x74\x61\x6C\x61\x6E\x65\x73\x31\x0F\x30\x0D\x06\x03\x55\x04\x03\x13\x06\x45\x43\x2D\x41\x43\x43\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB3\x22\xC7\x4F\xE2\x97\x42\x95\x88\x47\x83\x40\xF6\x1D\x17\xF3\x83\x73\x24\x1E\x51\xF3\x98\x8A\xC3\x92\xB8\xFF\x40\x90\x05\x70\x87\x60\xC9\x00\xA9\xB5\x94\x65\x19\x22\x15\x17\xC2\x43\x6C\x66\x44\x9A\x0D\x04\x3E\x39\x6F\xA5\x4B\x7A\xAA\x63\xB7\x8A\x44\x9D\xD9\x63\x91\x84\x66\xE0\x28\x0F\xBA\x42\xE3\x6E\x8E\xF7\x14\x27\x93\x69\xEE\x91\x0E\xA3\x5F\x0E\xB1\xEB\x66\xA2\x72\x4F\x12\x13\x86\x65\x7A\x3E\xDB\x4F\x07\xF4\xA7\x09\x60\xDA\x3A\x42\x99\xC7\xB2\x7F\xB3\x16\x95\x1C\xC7\xF9\x34\xB5\x94\x85\xD5\x99\x5E\xA0\x48\xA0\x7E\xE7\x17\x65\xB8\xA2\x75\xB8\x1E\xF3\xE5\x42\x7D\xAF\xED\xF3\x8A\x48\x64\x5D\x82\x14\x93\xD8\xC0\xE4\xFF\xB3\x50\x72\xF2\x76\xF6\xB3\x5D\x42\x50\x79\xD0\x94\x3E\x6B\x0C\x00\xBE\xD8\x6B\x0E\x4E\x2A\xEC\x3E\xD2\xCC\x82\xA2\x18\x65\x33\x13\x77\x9E\x9A\x5D\x1A\x13\xD8\xC3\xDB\x3D\xC8\x97\x7A\xEE\x70\xED\xA7\xE6\x7C\xDB\x71\xCF\x2D\x94\x62\xDF\x6D\xD6\xF5\x38\xBE\x3F\xA5\x85\x0A\x19\xB8\xA8\xD8\x09\x75\x42\x70\xC4\xEA\xEF\xCB\x0E\xC8\x34\xA8\x12\x22\x98\x0C\xB8\x13\x94\xB6\x4B\xEC\xF0\xD0\x90\xE7\x27\x02\x03\x01\x00\x01\xA3\x81\xE3\x30\x81\xE0\x30\x1D\x06\x03\x55\x1D\x11\x04\x16\x30\x14\x81\x12\x65\x63\x5F\x61\x63\x63\x40\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA0\xC3\x8B\x44\xAA\x37\xA5\x45\xBF\x97\x80\x5A\xD1\xF1\x78\xA2\x9B\xE9\x5D\x8D\x30\x7F\x06\x03\x55\x1D\x20\x04\x78\x30\x76\x30\x74\x06\x0B\x2B\x06\x01\x04\x01\xF5\x78\x01\x03\x01\x0A\x30\x65\x30\x2C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x30\x35\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x29\x1A\x27\x56\x65\x67\x65\x75\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA0\x48\x5B\x82\x01\xF6\x4D\x48\xB8\x39\x55\x35\x9C\x80\x7A\x53\x99\xD5\x5A\xFF\xB1\x71\x3B\xCC\x39\x09\x94\x5E\xD6\xDA\xEF\xBE\x01\x5B\x5D\xD3\x1E\xD8\xFD\x7D\x4F\xCD\xA0\x41\xE0\x34\x93\xBF\xCB\xE2\x86\x9C\x37\x92\x90\x56\x1C\xDC\xEB\x29\x05\xE5\xC4\x9E\xC7\x35\xDF\x8A\x0C\xCD\xC5\x21\x43\xE9\xAA\x88\xE5\x35\xC0\x19\x42\x63\x5A\x02\x5E\xA4\x48\x18\x3A\x85\x6F\xDC\x9D\xBC\x3F\x9D\x9C\xC1\x87\xB8\x7A\x61\x08\xE9\x77\x0B\x7F\x70\xAB\x7A\xDD\xD9\x97\x2C\x64\x1E\x85\xBF\xBC\x74\x96\xA1\xC3\x7A\x12\xEC\x0C\x1A\x6E\x83\x0C\x3C\xE8\x72\x46\x9F\xFB\x48\xD5\x5E\x97\xE6\xB1\xA1\xF8\xE4\xEF\x46\x25\x94\x9C\x89\xDB\x69\x38\xBE\xEC\x5C\x0E\x56\xC7\x65\x51\xE5\x50\x88\x88\xBF\x42\xD5\x2B\x3D\xE5\xF9\xBA\x9E\x2E\xB3\xCA\xF4\x73\x92\x02\x0B\xBE\x4C\x66\xEB\x20\xFE\xB9\xCB\xB5\x99\x7F\xE6\xB6\x13\xFA\xCA\x4B\x4D\xD9\xEE\x53\x46\x06\x3B\xC6\x4E\xAD\x93\x5A\x81\x7E\x6C\x2A\x4B\x6A\x05\x45\x8C\xF2\x21\xA4\x31\x90\x87\x6C\x65\x9C\x9D\xA5\x60\x95\x3A\x52\x7F\xF5\xD1\xAB\x08\x6E\xF3\xEE\x5B\xF9\x88\x3D\x7E\xB8\x6F\x6E\x03\xE4\x42",
-	["CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR"] = "\x30\x82\x04\x31\x30\x82\x03\x19\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x95\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x52\x31\x44\x30\x42\x06\x03\x55\x04\x0A\x13\x3B\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x2E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x40\x30\x3E\x06\x03\x55\x04\x03\x13\x37\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x52\x6F\x6F\x74\x43\x41\x20\x32\x30\x31\x31\x30\x1E\x17\x0D\x31\x31\x31\x32\x30\x36\x31\x33\x34\x39\x35\x32\x5A\x17\x0D\x33\x31\x31\x32\x30\x31\x31\x33\x34\x39\x35\x32\x5A\x30\x81\x95\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x52\x31\x44\x30\x42\x06\x03\x55\x04\x0A\x13\x3B\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x2E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x40\x30\x3E\x06\x03\x55\x04\x03\x13\x37\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x52\x6F\x6F\x74\x43\x41\x20\x32\x30\x31\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA9\x53\x00\xE3\x2E\xA6\xF6\x8E\xFA\x60\xD8\x2D\x95\x3E\xF8\x2C\x2A\x54\x4E\xCD\xB9\x84\x61\x94\x58\x4F\x8F\x3D\x8B\xE4\x43\xF3\x75\x89\x8D\x51\xE4\xC3\x37\xD2\x8A\x88\x4D\x79\x1E\xB7\x12\xDD\x43\x78\x4A\x8A\x92\xE6\xD7\x48\xD5\x0F\xA4\x3A\x29\x44\x35\xB8\x07\xF6\x68\x1D\x55\xCD\x38\x51\xF0\x8C\x24\x31\x85\xAF\x83\xC9\x7D\xE9\x77\xAF\xED\x1A\x7B\x9D\x17\xF9\xB3\x9D\x38\x50\x0F\xA6\x5A\x79\x91\x80\xAF\x37\xAE\xA6\xD3\x31\xFB\xB5\x26\x09\x9D\x3C\x5A\xEF\x51\xC5\x2B\xDF\x96\x5D\xEB\x32\x1E\x02\xDA\x70\x49\xEC\x6E\x0C\xC8\x9A\x37\x8D\xF7\xF1\x36\x60\x4B\x26\x2C\x82\x9E\xD0\x78\xF3\x0D\x0F\x63\xA4\x51\x30\xE1\xF9\x2B\x27\x12\x07\xD8\xEA\xBD\x18\x62\x98\xB0\x59\x37\x7D\xBE\xEE\xF3\x20\x51\x42\x5A\x83\xEF\x93\xBA\x69\x15\xF1\x62\x9D\x9F\x99\x39\x82\xA1\xB7\x74\x2E\x8B\xD4\xC5\x0B\x7B\x2F\xF0\xC8\x0A\xDA\x3D\x79\x0A\x9A\x93\x1C\xA5\x28\x72\x73\x91\x43\x9A\xA7\xD1\x4D\x85\x84\xB9\xA9\x74\x8F\x14\x40\xC7\xDC\xDE\xAC\x41\x64\x6C\xB4\x19\x9B\x02\x63\x6D\x24\x64\x8F\x44\xB2\x25\xEA\xCE\x5D\x74\x0C\x63\x32\x5C\x8D\x87\xE5\x02\x03\x01\x00\x01\xA3\x81\x89\x30\x81\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA6\x91\x42\xFD\x13\x61\x4A\x23\x9E\x08\xA4\x29\xE5\xD8\x13\x04\x23\xEE\x41\x25\x30\x47\x06\x03\x55\x1D\x1E\x04\x40\x30\x3E\xA0\x3C\x30\x05\x82\x03\x2E\x67\x72\x30\x05\x82\x03\x2E\x65\x75\x30\x06\x82\x04\x2E\x65\x64\x75\x30\x06\x82\x04\x2E\x6F\x72\x67\x30\x05\x81\x03\x2E\x67\x72\x30\x05\x81\x03\x2E\x65\x75\x30\x06\x81\x04\x2E\x65\x64\x75\x30\x06\x81\x04\x2E\x6F\x72\x67\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1F\xEF\x79\x41\xE1\x7B\x6E\x3F\xB2\x8C\x86\x37\x42\x4A\x4E\x1C\x37\x1E\x8D\x66\xBA\x24\x81\xC9\x4F\x12\x0F\x21\xC0\x03\x97\x86\x25\x6D\x5D\xD3\x22\x29\xA8\x6C\xA2\x0D\xA9\xEB\x3D\x06\x5B\x99\x3A\xC7\xCC\xC3\x9A\x34\x7F\xAB\x0E\xC8\x4E\x1C\xE1\xFA\xE4\xDC\xCD\x0D\xBE\xBF\x24\xFE\x6C\xE7\x6B\xC2\x0D\xC8\x06\x9E\x4E\x8D\x61\x28\xA6\x6A\xFD\xE5\xF6\x62\xEA\x18\x3C\x4E\xA0\x53\x9D\xB2\x3A\x9C\xEB\xA5\x9C\x91\x16\xB6\x4D\x82\xE0\x0C\x05\x48\xA9\x6C\xF5\xCC\xF8\xCB\x9D\x49\xB4\xF0\x02\xA5\xFD\x70\x03\xED\x8A\x21\xA5\xAE\x13\x86\x49\xC3\x33\x73\xBE\x87\x3B\x74\x8B\x17\x45\x26\x4C\x16\x91\x83\xFE\x67\x7D\xCD\x4D\x63\x67\xFA\xF3\x03\x12\x96\x78\x06\x8D\xB1\x67\xED\x8E\x3F\xBE\x9F\x4F\x02\xF5\xB3\x09\x2F\xF3\x4C\x87\xDF\x2A\xCB\x95\x7C\x01\xCC\xAC\x36\x7A\xBF\xA2\x73\x7A\xF7\x8F\xC1\xB5\x9A\xA1\x14\xB2\x8F\x33\x9F\x0D\xEF\x22\xDC\x66\x7B\x84\xBD\x45\x17\x06\x3D\x3C\xCA\xB9\x77\x34\x8F\xCA\xEA\xCF\x3F\x31\x3E\xE3\x88\xE3\x80\x49\x25\xC8\x97\xB5\x9D\x9A\x99\x4D\xB0\x3C\xF8\x4A\x00\x9B\x64\xDD\x9F\x39\x4B\xD1\x27\xD7\xB8",
 	["CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT"] = "\x30\x82\x05\xBB\x30\x82\x03\xA3\xA0\x03\x02\x01\x02\x02\x08\x57\x0A\x11\x97\x42\xC4\xE3\xCC\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x54\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x0C\x05\x4D\x69\x6C\x61\x6E\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x41\x63\x74\x61\x6C\x69\x73\x20\x53\x2E\x70\x2E\x41\x2E\x2F\x30\x33\x33\x35\x38\x35\x32\x30\x39\x36\x37\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x41\x63\x74\x61\x6C\x69\x73\x20\x41\x75\x74\x68\x65\x6E\x74\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x31\x30\x39\x32\x32\x31\x31\x32\x32\x30\x32\x5A\x17\x0D\x33\x30\x30\x39\x32\x32\x31\x31\x32\x32\x30\x32\x5A\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x54\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x0C\x05\x4D\x69\x6C\x61\x6E\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x41\x63\x74\x61\x6C\x69\x73\x20\x53\x2E\x70\x2E\x41\x2E\x2F\x30\x33\x33\x35\x38\x35\x32\x30\x39\x36\x37\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x41\x63\x74\x61\x6C\x69\x73\x20\x41\x75\x74\x68\x65\x6E\x74\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA7\xC6\xC4\xA5\x29\xA4\x2C\xEF\xE5\x18\xC5\xB0\x50\xA3\x6F\x51\x3B\x9F\x0A\x5A\xC9\xC2\x48\x38\x0A\xC2\x1C\xA0\x18\x7F\x91\xB5\x87\xB9\x40\x3F\xDD\x1D\x68\x1F\x08\x83\xD5\x2D\x1E\x88\xA0\xF8\x8F\x56\x8F\x6D\x99\x02\x92\x90\x16\xD5\x5F\x08\x6C\x89\xD7\xE1\xAC\xBC\x20\xC2\xB1\xE0\x83\x51\x8A\x69\x4D\x00\x96\x5A\x6F\x2F\xC0\x44\x7E\xA3\x0E\xE4\x91\xCD\x58\xEE\xDC\xFB\xC7\x1E\x45\x47\xDD\x27\xB9\x08\x01\x9F\xA6\x21\x1D\xF5\x41\x2D\x2F\x4C\xFD\x28\xAD\xE0\x8A\xAD\x22\xB4\x56\x65\x8E\x86\x54\x8F\x93\x43\x29\xDE\x39\x46\x78\xA3\x30\x23\xBA\xCD\xF0\x7D\x13\x57\xC0\x5D\xD2\x83\x6B\x48\x4C\xC4\xAB\x9F\x80\x5A\x5B\x3A\xBD\xC9\xA7\x22\x3F\x80\x27\x33\x5B\x0E\xB7\x8A\x0C\x5D\x07\x37\x08\xCB\x6C\xD2\x7A\x47\x22\x44\x35\xC5\xCC\xCC\x2E\x8E\xDD\x2A\xED\xB7\x7D\x66\x0D\x5F\x61\x51\x22\x55\x1B\xE3\x46\xE3\xE3\x3D\xD0\x35\x62\x9A\xDB\xAF\x14\xC8\x5B\xA1\xCC\x89\x1B\xE1\x30\x26\xFC\xA0\x9B\x1F\x81\xA7\x47\x1F\x04\xEB\xA3\x39\x92\x06\x9F\x99\xD3\xBF\xD3\xEA\x4F\x50\x9C\x19\xFE\x96\x87\x1E\x3C\x65\xF6\xA3\x18\x24\x83\x86\x10\xE7\x54\x3E\xA8\x3A\x76\x24\x4F\x81\x21\xC5\xE3\x0F\x02\xF8\x93\x94\x47\x20\xBB\xFE\xD4\x0E\xD3\x68\xB9\xDD\xC4\x7A\x84\x82\xE3\x53\x54\x79\xDD\xDB\x9C\xD2\xF2\x07\x9B\x2E\xB6\xBC\x3E\xED\x85\x6D\xEF\x25\x11\xF2\x97\x1A\x42\x61\xF7\x4A\x97\xE8\x8B\xB1\x10\x07\xFA\x65\x81\xB2\xA2\x39\xCF\xF7\x3C\xFF\x18\xFB\xC6\xF1\x5A\x8B\x59\xE2\x02\xAC\x7B\x92\xD0\x4E\x14\x4F\x59\x45\xF6\x0C\x5E\x28\x5F\xB0\xE8\x3F\x45\xCF\xCF\xAF\x9B\x6F\xFB\x84\xD3\x77\x5A\x95\x6F\xAC\x94\x84\x9E\xEE\xBC\xC0\x4A\x8F\x4A\x93\xF8\x44\x21\xE2\x31\x45\x61\x50\x4E\x10\xD8\xE3\x35\x7C\x4C\x19\xB4\xDE\x05\xBF\xA3\x06\x9F\xC8\xB5\xCD\xE4\x1F\xD7\x17\x06\x0D\x7A\x95\x74\x55\x0D\x68\x1A\xFC\x10\x1B\x62\x64\x9D\x6D\xE0\x95\xA0\xC3\x94\x07\x57\x0D\x14\xE6\xBD\x05\xFB\xB8\x9F\xE6\xDF\x8B\xE2\xC6\xE7\x7E\x96\xF6\x53\xC5\x80\x34\x50\x28\x58\xF0\x12\x50\x71\x17\x30\xBA\xE6\x78\x63\xBC\xF4\xB2\xAD\x9B\x2B\xB2\xFE\xE1\x39\x8C\x5E\xBA\x0B\x20\x94\xDE\x7B\x83\xB8\xFF\xE3\x56\x8D\xB7\x11\xE9\x3B\x8C\xF2\xB1\xC1\x5D\x9D\xA4\x0B\x4C\x2B\xD9\xB2\x18\xF5\xB5\x9F\x4B\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x52\xD8\x88\x3A\xC8\x9F\x78\x66\xED\x89\xF3\x7B\x38\x70\x94\xC9\x02\x02\x36\xD0\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x52\xD8\x88\x3A\xC8\x9F\x78\x66\xED\x89\xF3\x7B\x38\x70\x94\xC9\x02\x02\x36\xD0\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x0B\x7B\x72\x87\xC0\x60\xA6\x49\x4C\x88\x58\xE6\x1D\x88\xF7\x14\x64\x48\xA6\xD8\x58\x0A\x0E\x4F\x13\x35\xDF\x35\x1D\xD4\xED\x06\x31\xC8\x81\x3E\x6A\xD5\xDD\x3B\x1A\x32\xEE\x90\x3D\x11\xD2\x2E\xF4\x8E\xC3\x63\x2E\x23\x66\xB0\x67\xBE\x6F\xB6\xC0\x13\x39\x60\xAA\xA2\x34\x25\x93\x75\x52\xDE\xA7\x9D\xAD\x0E\x87\x89\x52\x71\x6A\x16\x3C\x19\x1D\x83\xF8\x9A\x29\x65\xBE\xF4\x3F\x9A\xD9\xF0\xF3\x5A\x87\x21\x71\x80\x4D\xCB\xE0\x38\x9B\x3F\xBB\xFA\xE0\x30\x4D\xCF\x86\xD3\x65\x10\x19\x18\xD1\x97\x02\xB1\x2B\x72\x42\x68\xAC\xA0\xBD\x4E\x5A\xDA\x18\xBF\x6B\x98\x81\xD0\xFD\x9A\xBE\x5E\x15\x48\xCD\x11\x15\xB9\xC0\x29\x5C\xB4\xE8\x88\xF7\x3E\x36\xAE\xB7\x62\xFD\x1E\x62\xDE\x70\x78\x10\x1C\x48\x5B\xDA\xBC\xA4\x38\xBA\x67\xED\x55\x3E\x5E\x57\xDF\xD4\x03\x40\x4C\x81\xA4\xD2\x4F\x63\xA7\x09\x42\x09\x14\xFC\x00\xA9\xC2\x80\x73\x4F\x2E\xC0\x40\xD9\x11\x7B\x48\xEA\x7A\x02\xC0\xD3\xEB\x28\x01\x26\x58\x74\xC1\xC0\x73\x22\x6D\x93\x95\xFD\x39\x7D\xBB\x2A\xE3\xF6\x82\xE3\x2C\x97\x5F\x4E\x1F\x91\x94\xFA\xFE\x2C\xA3\xD8\x76\x1A\xB8\x4D\xB2\x38\x4F\x9B\xFA\x1D\x48\x60\x79\x26\xE2\xF3\xFD\xA9\xD0\x9A\xE8\x70\x8F\x49\x7A\xD6\xE5\xBD\x0A\x0E\xDB\x2D\xF3\x8D\xBF\xEB\xE3\xA4\x7D\xCB\xC7\x95\x71\xE8\xDA\xA3\x7C\xC5\xC2\xF8\x74\x92\x04\x1B\x86\xAC\xA4\x22\x53\x40\xB6\xAC\xFE\x4C\x76\xCF\xFB\x94\x32\xC0\x35\x9F\x76\x3F\x6E\xE5\x90\x6E\xA0\xA6\x26\xA2\xB8\x2C\xBE\xD1\x2B\x85\xFD\xA7\x68\xC8\xBA\x01\x2B\xB1\x6C\x74\x1D\xB8\x73\x95\xE7\xEE\xB7\xC7\x25\xF0\x00\x4C\x00\xB2\x7E\xB6\x0B\x8B\x1C\xF3\xC0\x50\x9E\x25\xB9\xE0\x08\xDE\x36\x66\xFF\x37\xA5\xD1\xBB\x54\x64\x2C\xC9\x27\xB5\x4B\x92\x7E\x65\xFF\xD3\x2D\xE1\xB9\x4E\xBC\x7F\xA4\x41\x21\x90\x41\x77\xA6\x39\x1F\xEA\x9E\xE3\x9F\xD0\x66\x6F\x05\xEC\xAA\x76\x7E\xBF\x6B\x16\xA0\xEB\xB5\xC7\xFC\x92\x54\x2F\x2B\x11\x27\x25\x37\x78\x4C\x51\x6A\xB0\xF3\xCC\x58\x5D\x14\xF1\x6A\x48\x15\xFF\xC2\x07\xB6\xB1\x8D\x0F\x8E\x5C\x50\x46\xB3\x3D\xBF\x01\x98\x4F\xB2\x59\x54\x47\x3E\x34\x7B\x78\x6D\x56\x93\x2E\x73\xEA\x66\x28\x78\xCD\x1D\x14\xBF\xA0\x8F\x2F\x2E\xB8\x2E\x8E\xF2\x14\x8A\xCC\xE9\xB5\x7C\xFB\x6C\x9D\x0C\xA5\xE1\x96",
 	["CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO"] = "\x30\x82\x05\x59\x30\x82\x03\x41\xA0\x03\x02\x01\x02\x02\x01\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x30\x31\x30\x32\x36\x30\x38\x33\x38\x30\x33\x5A\x17\x0D\x34\x30\x31\x30\x32\x36\x30\x38\x33\x38\x30\x33\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD7\xC7\x5E\xF7\xC1\x07\xD4\x77\xFB\x43\x21\xF4\xF4\xF5\x69\xE4\xEE\x32\x01\xDB\xA3\x86\x1F\xE4\x59\x0D\xBA\xE7\x75\x83\x52\xEB\xEA\x1C\x61\x15\x48\xBB\x1D\x07\xCA\x8C\xAE\xB0\xDC\x96\x9D\xEA\xC3\x60\x92\x86\x82\x28\x73\x9C\x56\x06\xFF\x4B\x64\xF0\x0C\x2A\x37\x49\xB5\xE5\xCF\x0C\x7C\xEE\xF1\x4A\xBB\x73\x30\x65\xF3\xD5\x2F\x83\xB6\x7E\xE3\xE7\xF5\x9E\xAB\x60\xF9\xD3\xF1\x9D\x92\x74\x8A\xE4\x1C\x96\xAC\x5B\x80\xE9\xB5\xF4\x31\x87\xA3\x51\xFC\xC7\x7E\xA1\x6F\x8E\x53\x77\xD4\x97\xC1\x55\x33\x92\x3E\x18\x2F\x75\xD4\xAD\x86\x49\xCB\x95\xAF\x54\x06\x6C\xD8\x06\x13\x8D\x5B\xFF\xE1\x26\x19\x59\xC0\x24\xBA\x81\x71\x79\x90\x44\x50\x68\x24\x94\x5F\xB8\xB3\x11\xF1\x29\x41\x61\xA3\x41\xCB\x23\x36\xD5\xC1\xF1\x32\x50\x10\x4E\x7F\xF4\x86\x93\xEC\x84\xD3\x8E\xBC\x4B\xBF\x5C\x01\x4E\x07\x3D\xDC\x14\x8A\x94\x0A\xA4\xEA\x73\xFB\x0B\x51\xE8\x13\x07\x18\xFA\x0E\xF1\x2B\xD1\x54\x15\x7D\x3C\xE1\xF7\xB4\x19\x42\x67\x62\x5E\x77\xE0\xA2\x55\xEC\xB6\xD9\x69\x17\xD5\x3A\xAF\x44\xED\x4A\xC5\x9E\xE4\x7A\x27\x7C\xE5\x75\xD7\xAA\xCB\x25\xE7\xDF\x6B\x0A\xDB\x0F\x4D\x93\x4E\xA8\xA0\xCD\x7B\x2E\xF2\x59\x01\x6A\xB7\x0D\xB8\x07\x81\x7E\x8B\x38\x1B\x38\xE6\x0A\x57\x99\x3D\xEE\x21\xE8\xA3\xF5\x0C\x16\xDD\x8B\xEC\x34\x8E\x9C\x2A\x1C\x00\x15\x17\x8D\x68\x83\xD2\x70\x9F\x18\x08\xCD\x11\x68\xD5\xC9\x6B\x52\xCD\xC4\x46\x8F\xDC\xB5\xF3\xD8\x57\x73\x1E\xE9\x94\x39\x04\xBF\xD3\xDE\x38\xDE\xB4\x53\xEC\x69\x1C\xA2\x7E\xC4\x8F\xE4\x1B\x70\xAD\xF2\xA2\xF9\xFB\xF7\x16\x64\x66\x69\x9F\x49\x51\xA2\xE2\x15\x18\x67\x06\x4A\x7F\xD5\x6C\xB5\x4D\xB3\x33\xE0\x61\xEB\x5D\xBE\xE9\x98\x0F\x32\xD7\x1D\x4B\x3C\x2E\x5A\x01\x52\x91\x09\xF2\xDF\xEA\x8D\xD8\x06\x40\x63\xAA\x11\xE4\xFE\xC3\x37\x9E\x14\x52\x3F\xF4\xE2\xCC\xF2\x61\x93\xD1\xFD\x67\x6B\xD7\x52\xAE\xBF\x68\xAB\x40\x43\xA0\x57\x35\x53\x78\xF0\x53\xF8\x61\x42\x07\x64\xC6\xD7\x6F\x9B\x4C\x38\x0D\x63\xAC\x62\xAF\x36\x8B\xA2\x73\x0A\x0D\xF5\x21\xBD\x74\xAA\x4D\xEA\x72\x03\x49\xDB\xC7\x5F\x1D\x62\x63\xC7\xFD\xDD\x91\xEC\x33\xEE\xF5\x6D\xB4\x6E\x30\x68\xDE\xC8\xD6\x26\xB0\x75\x5E\x7B\xB4\x07\x20\x98\xA1\x76\x32\xB8\x4D\x6C\x4F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC9\x80\x77\xE0\x62\x92\x82\xF5\x46\x9C\xF3\xBA\xF7\x4C\xC3\xDE\xB8\xA3\xAD\x39\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x53\x5F\x21\xF5\xBA\xB0\x3A\x52\x39\x2C\x92\xB0\x6C\x00\xC9\xEF\xCE\x20\xEF\x06\xF2\x96\x9E\xE9\xA4\x74\x7F\x7A\x16\xFC\xB7\xF5\xB6\xFB\x15\x1B\x3F\xAB\xA6\xC0\x72\x5D\x10\xB1\x71\xEE\xBC\x4F\xE3\xAD\xAC\x03\x6D\x2E\x71\x2E\xAF\xC4\xE3\xAD\xA3\xBD\x0C\x11\xA7\xB4\xFF\x4A\xB2\x7B\x10\x10\x1F\xA7\x57\x41\xB2\xC0\xAE\xF4\x2C\x59\xD6\x47\x10\x88\xF3\x21\x51\x29\x30\xCA\x60\x86\xAF\x46\xAB\x1D\xED\x3A\x5B\xB0\x94\xDE\x44\xE3\x41\x08\xA2\xC1\xEC\x1D\xD6\xFD\x4F\xB6\xD6\x47\xD0\x14\x0B\xCA\xE6\xCA\xB5\x7B\x77\x7E\x41\x1F\x5E\x83\xC7\xB6\x8C\x39\x96\xB0\x3F\x96\x81\x41\x6F\x60\x90\xE2\xE8\xF9\xFB\x22\x71\xD9\x7D\xB3\x3D\x46\xBF\xB4\x84\xAF\x90\x1C\x0F\x8F\x12\x6A\xAF\xEF\xEE\x1E\x7A\xAE\x02\x4A\x8A\x17\x2B\x76\xFE\xAC\x54\x89\x24\x2C\x4F\x3F\xB6\xB2\xA7\x4E\x8C\xA8\x91\x97\xFB\x29\xC6\x7B\x5C\x2D\xB9\xCB\x66\xB6\xB7\xA8\x5B\x12\x51\x85\xB5\x09\x7E\x62\x78\x70\xFE\xA9\x6A\x60\xB6\x1D\x0E\x79\x0C\xFD\xCA\xEA\x24\x80\x72\xC3\x97\x3F\xF2\x77\xAB\x43\x22\x0A\xC7\xEB\xB6\x0C\x84\x82\x2C\x80\x6B\x41\x8A\x08\xC0\xEB\xA5\x6B\xDF\x99\x12\xCB\x8A\xD5\x5E\x80\x0C\x91\xE0\x26\x08\x36\x48\xC5\xFA\x38\x11\x35\xFF\x25\x83\x2D\xF2\x7A\xBF\xDA\xFD\x8E\xFE\xA5\xCB\x45\x2C\x1F\xC4\x88\x53\xAE\x77\x0E\xD9\x9A\x76\xC5\x8E\x2C\x1D\xA3\xBA\xD5\xEC\x32\xAE\xC0\xAA\xAC\xF7\xD1\x7A\x4D\xEB\xD4\x07\xE2\x48\xF7\x22\x8E\xB0\xA4\x9F\x6A\xCE\x8E\xB2\xB2\x60\xF4\xA3\x22\xD0\x23\xEB\x94\x5A\x7A\x69\xDD\x0F\xBF\x40\x57\xAC\x6B\x59\x50\xD9\xA3\x99\xE1\x6E\xFE\x8D\x01\x79\x27\x23\x15\xDE\x92\x9D\x7B\x09\x4D\x5A\xE7\x4B\x48\x30\x5A\x18\xE6\x0A\x6D\xE6\x8F\xE0\xD2\xBB\xE6\xDF\x7C\x6E\x21\x82\xC1\x68\x39\x4D\xB4\x98\x58\x66\x62\xCC\x4A\x90\x5E\xC3\xFA\x27\x04\xB1\x79\x15\x74\x99\xCC\xBE\xAD\x20\xDE\x26\x60\x1C\xEB\x56\x51\xA6\xA3\xEA\xE4\xA3\x3F\xA7\xFF\x61\xDC\xF1\x5A\x4D\x6C\x32\x23\x43\xEE\xAC\xA8\xEE\xEE\x4A\x12\x09\x3C\x5D\x71\xC2\xBE\x79\xFA\xC2\x87\x68\x1D\x0B\xFD\x5C\x69\xCC\x06\xD0\x9A\x7D\x54\x99\x2A\xC9\x39\x1A\x19\xAF\x4B\x2A\x43\xF3\x63\x5D\x5A\x58\xE2\x2F\xE3\x1D\xE4\xA9\xD6\xD0\x0A\xD0\x9E\xBF\xD7\x81\x09\xF1\xC9\xC7\x26\x0D\xAC\x98\x16\x56\xA0",
 	["CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO"] = "\x30\x82\x05\x59\x30\x82\x03\x41\xA0\x03\x02\x01\x02\x02\x01\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x30\x31\x30\x32\x36\x30\x38\x32\x38\x35\x38\x5A\x17\x0D\x34\x30\x31\x30\x32\x36\x30\x38\x32\x38\x35\x38\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA5\xDA\x0A\x95\x16\x50\xE3\x95\xF2\x5E\x9D\x76\x31\x06\x32\x7A\x9B\xF1\x10\x76\xB8\x00\x9A\xB5\x52\x36\xCD\x24\x47\xB0\x9F\x18\x64\xBC\x9A\xF6\xFA\xD5\x79\xD8\x90\x62\x4C\x22\x2F\xDE\x38\x3D\xD6\xE0\xA8\xE9\x1C\x2C\xDB\x78\x11\xE9\x8E\x68\x51\x15\x72\xC7\xF3\x33\x87\xE4\xA0\x5D\x0B\x5C\xE0\x57\x07\x2A\x30\xF5\xCD\xC4\x37\x77\x28\x4D\x18\x91\xE6\xBF\xD5\x52\xFD\x71\x2D\x70\x3E\xE7\xC6\xC4\x8A\xE3\xF0\x28\x0B\xF4\x76\x98\xA1\x8B\x87\x55\xB2\x3A\x13\xFC\xB7\x3E\x27\x37\x8E\x22\xE3\xA8\x4F\x2A\xEF\x60\xBB\x3D\xB7\x39\xC3\x0E\x01\x47\x99\x5D\x12\x4F\xDB\x43\xFA\x57\xA1\xED\xF9\x9D\xBE\x11\x47\x26\x5B\x13\x98\xAB\x5D\x16\x8A\xB0\x37\x1C\x57\x9D\x45\xFF\x88\x96\x36\xBF\xBB\xCA\x07\x7B\x6F\x87\x63\xD7\xD0\x32\x6A\xD6\x5D\x6C\x0C\xF1\xB3\x6E\x39\xE2\x6B\x31\x2E\x39\x00\x27\x14\xDE\x38\xC0\xEC\x19\x66\x86\x12\xE8\x9D\x72\x16\x13\x64\x52\xC7\xA9\x37\x1C\xFD\x82\x30\xED\x84\x18\x1D\xF4\xAE\x5C\xFF\x70\x13\x00\xEB\xB1\xF5\x33\x7A\x4B\xD6\x55\xF8\x05\x8D\x4B\x69\xB0\xF5\xB3\x28\x36\x5C\x14\xC4\x51\x73\x4D\x6B\x0B\xF1\x34\x07\xDB\x17\x39\xD7\xDC\x28\x7B\x6B\xF5\x9F\xF3\x2E\xC1\x4F\x17\x2A\x10\xF3\xCC\xCA\xE8\xEB\xFD\x6B\xAB\x2E\x9A\x9F\x2D\x82\x6E\x04\xD4\x52\x01\x93\x2D\x3D\x86\xFC\x7E\xFC\xDF\xEF\x42\x1D\xA6\x6B\xEF\xB9\x20\xC6\xF7\xBD\xA0\xA7\x95\xFD\xA7\xE6\x89\x24\xD8\xCC\x8C\x34\x6C\xE2\x23\x2F\xD9\x12\x1A\x21\xB9\x55\x91\x6F\x0B\x91\x79\x19\x0C\xAD\x40\x88\x0B\x70\xE2\x7A\xD2\x0E\xD8\x68\x48\xBB\x82\x13\x39\x10\x58\xE9\xD8\x2A\x07\xC6\x12\xDB\x58\xDB\xD2\x3B\x55\x10\x47\x05\x15\x67\x62\x7E\x18\x63\xA6\x46\x3F\x09\x0E\x54\x32\x5E\xBF\x0D\x62\x7A\x27\xEF\x80\xE8\xDB\xD9\x4B\x06\x5A\x37\x5A\x25\xD0\x08\x12\x77\xD4\x6F\x09\x50\x97\x3D\xC8\x1D\xC3\xDF\x8C\x45\x30\x56\xC6\xD3\x64\xAB\x66\xF3\xC0\x5E\x96\x9C\xC3\xC4\xEF\xC3\x7C\x6B\x8B\x3A\x79\x7F\xB3\x49\xCF\x3D\xE2\x89\x9F\xA0\x30\x4B\x85\xB9\x9C\x94\x24\x79\x8F\x7D\x6B\xA9\x45\x68\x0F\x2B\xD0\xF1\xDA\x1C\xCB\x69\xB8\xCA\x49\x62\x6D\xC8\xD0\x63\x62\xDD\x60\x0F\x58\xAA\x8F\xA1\xBC\x05\xA5\x66\xA2\xCF\x1B\x76\xB2\x84\x64\xB1\x4C\x39\x52\xC0\x30\xBA\xF0\x8C\x4B\x02\xB0\xB6\xB7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x47\xB8\xCD\xFF\xE5\x6F\xEE\xF8\xB2\xEC\x2F\x4E\x0E\xF9\x25\xB0\x8E\x3C\x6B\xC3\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x00\x20\x23\x41\x35\x04\x90\xC2\x40\x62\x60\xEF\xE2\x35\x4C\xD7\x3F\xAC\xE2\x34\x90\xB8\xA1\x6F\x76\xFA\x16\x16\xA4\x48\x37\x2C\xE9\x90\xC2\xF2\x3C\xF8\x0A\x9F\xD8\x81\xE5\xBB\x5B\xDA\x25\x2C\xA4\xA7\x55\x71\x24\x32\xF6\xC8\x0B\xF2\xBC\x6A\xF8\x93\xAC\xB2\x07\xC2\x5F\x9F\xDB\xCC\xC8\x8A\xAA\xBE\x6A\x6F\xE1\x49\x10\xCC\x31\xD7\x80\xBB\xBB\xC8\xD8\xA2\x0E\x64\x57\xEA\xA2\xF5\xC2\xA9\x31\x15\xD2\x20\x6A\xEC\xFC\x22\x01\x28\xCF\x86\xB8\x80\x1E\xA9\xCC\x11\xA5\x3C\xF2\x16\xB3\x47\x9D\xFC\xD2\x80\x21\xC4\xCB\xD0\x47\x70\x41\xA1\xCA\x83\x19\x08\x2C\x6D\xF2\x5D\x77\x9C\x8A\x14\x13\xD4\x36\x1C\x92\xF0\xE5\x06\x37\xDC\xA6\xE6\x90\x9B\x38\x8F\x5C\x6B\x1B\x46\x86\x43\x42\x5F\x3E\x01\x07\x53\x54\x5D\x65\x7D\xF7\x8A\x73\xA1\x9A\x54\x5A\x1F\x29\x43\x14\x27\xC2\x85\x0F\xB5\x88\x7B\x1A\x3B\x94\xB7\x1D\x60\xA7\xB5\x9C\xE7\x29\x69\x57\x5A\x9B\x93\x7A\x43\x30\x1B\x03\xD7\x62\xC8\x40\xA6\xAA\xFC\x64\xE4\x4A\xD7\x91\x53\x01\xA8\x20\x88\x6E\x9C\x5F\x44\xB9\xCB\x60\x81\x34\xEC\x6F\xD3\x7D\xDA\x48\x5F\xEB\xB4\x90\xBC\x2D\xA9\x1C\x0B\xAC\x1C\xD5\xA2\x68\x20\x80\x04\xD6\xFC\xB1\x8F\x2F\xBB\x4A\x31\x0D\x4A\x86\x1C\xEB\xE2\x36\x29\x26\xF5\xDA\xD8\xC4\xF2\x75\x61\xCF\x7E\xAE\x76\x63\x4A\x7A\x40\x65\x93\x87\xF8\x1E\x80\x8C\x86\xE5\x86\xD6\x8F\x0E\xFC\x53\x2C\x60\xE8\x16\x61\x1A\xA2\x3E\x43\x7B\xCD\x39\x60\x54\x6A\xF5\xF2\x89\x26\x01\x68\x83\x48\xA2\x33\xE8\xC9\x04\x91\xB2\x11\x34\x11\x3E\xEA\xD0\x43\x19\x1F\x03\x93\x90\x0C\xFF\x51\x3D\x57\xF4\x41\x6E\xE1\xCB\xA0\xBE\xEB\xC9\x63\xCD\x6D\xCC\xE4\xF8\x36\xAA\x68\x9D\xED\xBD\x5D\x97\x70\x44\x0D\xB6\x0E\x35\xDC\xE1\x0C\x5D\xBB\xA0\x51\x94\xCB\x7E\x16\xEB\x11\x2F\xA3\x92\x45\xC8\x4C\x71\xD9\xBC\xC9\x99\x52\x57\x46\x2F\x50\xCF\xBD\x35\x69\xF4\x3D\x15\xCE\x06\xA5\x2C\x0F\x3E\xF6\x81\xBA\x94\xBB\xC3\xBB\xBF\x65\x78\xD2\x86\x79\xFF\x49\x3B\x1A\x83\x0C\xF0\xDE\x78\xEC\xC8\xF2\x4D\x4C\x1A\xDE\x82\x29\xF8\xC1\x5A\xDA\xED\xEE\xE6\x27\x5E\xE8\x45\xD0\x9D\x1C\x51\xA8\x68\xAB\x44\xE3\xD0\x8B\x6A\xE3\xF8\x3B\xBB\xDC\x4D\xD7\x64\xF2\x51\xBE\xE6\xAA\xAB\x5A\xE9\x31\xEE\x06\xBC\x73\xBF\x13\x62\x0A\x9F\xC7\xB9\x97",
@@ -79,7 +76,6 @@ redef root_certs += {
 	["CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US"] = "\x30\x82\x05\xDE\x30\x82\x03\xC6\xA0\x03\x02\x01\x02\x02\x10\x01\xFD\x6D\x30\xFC\xA3\xCA\x51\xA8\x1B\xBC\x64\x0E\x35\x03\x2D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x52\x53\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x31\x30\x30\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x52\x53\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x80\x12\x65\x17\x36\x0E\xC3\xDB\x08\xB3\xD0\xAC\x57\x0D\x76\xED\xCD\x27\xD3\x4C\xAD\x50\x83\x61\xE2\xAA\x20\x4D\x09\x2D\x64\x09\xDC\xCE\x89\x9F\xCC\x3D\xA9\xEC\xF6\xCF\xC1\xDC\xF1\xD3\xB1\xD6\x7B\x37\x28\x11\x2B\x47\xDA\x39\xC6\xBC\x3A\x19\xB4\x5F\xA6\xBD\x7D\x9D\xA3\x63\x42\xB6\x76\xF2\xA9\x3B\x2B\x91\xF8\xE2\x6F\xD0\xEC\x16\x20\x90\x09\x3E\xE2\xE8\x74\xC9\x18\xB4\x91\xD4\x62\x64\xDB\x7F\xA3\x06\xF1\x88\x18\x6A\x90\x22\x3C\xBC\xFE\x13\xF0\x87\x14\x7B\xF6\xE4\x1F\x8E\xD4\xE4\x51\xC6\x11\x67\x46\x08\x51\xCB\x86\x14\x54\x3F\xBC\x33\xFE\x7E\x6C\x9C\xFF\x16\x9D\x18\xBD\x51\x8E\x35\xA6\xA7\x66\xC8\x72\x67\xDB\x21\x66\xB1\xD4\x9B\x78\x03\xC0\x50\x3A\xE8\xCC\xF0\xDC\xBC\x9E\x4C\xFE\xAF\x05\x96\x35\x1F\x57\x5A\xB7\xFF\xCE\xF9\x3D\xB7\x2C\xB6\xF6\x54\xDD\xC8\xE7\x12\x3A\x4D\xAE\x4C\x8A\xB7\x5C\x9A\xB4\xB7\x20\x3D\xCA\x7F\x22\x34\xAE\x7E\x3B\x68\x66\x01\x44\xE7\x01\x4E\x46\x53\x9B\x33\x60\xF7\x94\xBE\x53\x37\x90\x73\x43\xF3\x32\xC3\x53\xEF\xDB\xAA\xFE\x74\x4E\x69\xC7\x6B\x8C\x60\x93\xDE\xC4\xC7\x0C\xDF\xE1\x32\xAE\xCC\x93\x3B\x51\x78\x95\x67\x8B\xEE\x3D\x56\xFE\x0C\xD0\x69\x0F\x1B\x0F\xF3\x25\x26\x6B\x33\x6D\xF7\x6E\x47\xFA\x73\x43\xE5\x7E\x0E\xA5\x66\xB1\x29\x7C\x32\x84\x63\x55\x89\xC4\x0D\xC1\x93\x54\x30\x19\x13\xAC\xD3\x7D\x37\xA7\xEB\x5D\x3A\x6C\x35\x5C\xDB\x41\xD7\x12\xDA\xA9\x49\x0B\xDF\xD8\x80\x8A\x09\x93\x62\x8E\xB5\x66\xCF\x25\x88\xCD\x84\xB8\xB1\x3F\xA4\x39\x0F\xD9\x02\x9E\xEB\x12\x4C\x95\x7C\xF3\x6B\x05\xA9\x5E\x16\x83\xCC\xB8\x67\xE2\xE8\x13\x9D\xCC\x5B\x82\xD3\x4C\xB3\xED\x5B\xFF\xDE\xE5\x73\xAC\x23\x3B\x2D\x00\xBF\x35\x55\x74\x09\x49\xD8\x49\x58\x1A\x7F\x92\x36\xE6\x51\x92\x0E\xF3\x26\x7D\x1C\x4D\x17\xBC\xC9\xEC\x43\x26\xD0\xBF\x41\x5F\x40\xA9\x44\x44\xF4\x99\xE7\x57\x87\x9E\x50\x1F\x57\x54\xA8\x3E\xFD\x74\x63\x2F\xB1\x50\x65\x09\xE6\x58\x42\x2E\x43\x1A\x4C\xB4\xF0\x25\x47\x59\xFA\x04\x1E\x93\xD4\x26\x46\x4A\x50\x81\xB2\xDE\xBE\x78\xB7\xFC\x67\x15\xE1\xC9\x57\x84\x1E\x0F\x63\xD6\xE9\x62\xBA\xD6\x5F\x55\x2E\xEA\x5C\xC6\x28\x08\x04\x25\x39\xB8\x0E\x2B\xA9\xF2\x4C\x97\x1C\x07\x3F\x0D\x52\xF5\xED\xEF\x2F\x82\x0F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x53\x79\xBF\x5A\xAA\x2B\x4A\xCF\x54\x80\xE1\xD8\x9B\xC0\x9D\xF2\xB2\x03\x66\xCB\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\x5C\xD4\x7C\x0D\xCF\xF7\x01\x7D\x41\x99\x65\x0C\x73\xC5\x52\x9F\xCB\xF8\xCF\x99\x06\x7F\x1B\xDA\x43\x15\x9F\x9E\x02\x55\x57\x96\x14\xF1\x52\x3C\x27\x87\x94\x28\xED\x1F\x3A\x01\x37\xA2\x76\xFC\x53\x50\xC0\x84\x9B\xC6\x6B\x4E\xBA\x8C\x21\x4F\xA2\x8E\x55\x62\x91\xF3\x69\x15\xD8\xBC\x88\xE3\xC4\xAA\x0B\xFD\xEF\xA8\xE9\x4B\x55\x2A\x06\x20\x6D\x55\x78\x29\x19\xEE\x5F\x30\x5C\x4B\x24\x11\x55\xFF\x24\x9A\x6E\x5E\x2A\x2B\xEE\x0B\x4D\x9F\x7F\xF7\x01\x38\x94\x14\x95\x43\x07\x09\xFB\x60\xA9\xEE\x1C\xAB\x12\x8C\xA0\x9A\x5E\xA7\x98\x6A\x59\x6D\x8B\x3F\x08\xFB\xC8\xD1\x45\xAF\x18\x15\x64\x90\x12\x0F\x73\x28\x2E\xC5\xE2\x24\x4E\xFC\x58\xEC\xF0\xF4\x45\xFE\x22\xB3\xEB\x2F\x8E\xD2\xD9\x45\x61\x05\xC1\x97\x6F\xA8\x76\x72\x8F\x8B\x8C\x36\xAF\xBF\x0D\x05\xCE\x71\x8D\xE6\xA6\x6F\x1F\x6C\xA6\x71\x62\xC5\xD8\xD0\x83\x72\x0C\xF1\x67\x11\x89\x0C\x9C\x13\x4C\x72\x34\xDF\xBC\xD5\x71\xDF\xAA\x71\xDD\xE1\xB9\x6C\x8C\x3C\x12\x5D\x65\xDA\xBD\x57\x12\xB6\x43\x6B\xFF\xE5\xDE\x4D\x66\x11\x51\xCF\x99\xAE\xEC\x17\xB6\xE8\x71\x91\x8C\xDE\x49\xFE\xDD\x35\x71\xA2\x15\x27\x94\x1C\xCF\x61\xE3\x26\xBB\x6F\xA3\x67\x25\x21\x5D\xE6\xDD\x1D\x0B\x2E\x68\x1B\x3B\x82\xAF\xEC\x83\x67\x85\xD4\x98\x51\x74\xB1\xB9\x99\x80\x89\xFF\x7F\x78\x19\x5C\x79\x4A\x60\x2E\x92\x40\xAE\x4C\x37\x2A\x2C\xC9\xC7\x62\xC8\x0E\x5D\xF7\x36\x5B\xCA\xE0\x25\x25\x01\xB4\xDD\x1A\x07\x9C\x77\x00\x3F\xD0\xDC\xD5\xEC\x3D\xD4\xFA\xBB\x3F\xCC\x85\xD6\x6F\x7F\xA9\x2D\xDF\xB9\x02\xF7\xF5\x97\x9A\xB5\x35\xDA\xC3\x67\xB0\x87\x4A\xA9\x28\x9E\x23\x8E\xFF\x5C\x27\x6B\xE1\xB0\x4F\xF3\x07\xEE\x00\x2E\xD4\x59\x87\xCB\x52\x41\x95\xEA\xF4\x47\xD7\xEE\x64\x41\x55\x7C\x8D\x59\x02\x95\xDD\x62\x9D\xC2\xB9\xEE\x5A\x28\x74\x84\xA5\x9B\xB7\x90\xC7\x0C\x07\xDF\xF5\x89\x36\x74\x32\xD6\x28\xC1\xB0\xB0\x0B\xE0\x9C\x4C\xC3\x1C\xD6\xFC\xE3\x69\xB5\x47\x46\x81\x2F\xA2\x82\xAB\xD3\x63\x44\x70\xC4\x8D\xFF\x2D\x33\xBA\xAD\x8F\x7B\xB5\x70\x88\xAE\x3E\x19\xCF\x40\x28\xD8\xFC\xC8\x90\xBB\x5D\x99\x22\xF5\x52\xE6\x58\xC5\x1F\x88\x31\x43\xEE\x88\x1D\xD7\xC6\x8E\x3C\x43\x6A\x1D\xA7\x18\xDE\x7D\x3D\x16\xF1\x62\xF9\xCA\x90\xA8\xFD",
 	["CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US"] = "\x30\x82\x02\x8F\x30\x82\x02\x15\xA0\x03\x02\x01\x02\x02\x10\x5C\x8B\x99\xC5\x5A\x94\xC5\xD2\x71\x56\xDE\xCD\x89\x80\xCC\x26\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x31\x30\x30\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x1A\xAC\x54\x5A\xA9\xF9\x68\x23\xE7\x7A\xD5\x24\x6F\x53\xC6\x5A\xD8\x4B\xAB\xC6\xD5\xB6\xD1\xE6\x73\x71\xAE\xDD\x9C\xD6\x0C\x61\xFD\xDB\xA0\x89\x03\xB8\x05\x14\xEC\x57\xCE\xEE\x5D\x3F\xE2\x21\xB3\xCE\xF7\xD4\x8A\x79\xE0\xA3\x83\x7E\x2D\x97\xD0\x61\xC4\xF1\x99\xDC\x25\x91\x63\xAB\x7F\x30\xA3\xB4\x70\xE2\xC7\xA1\x33\x9C\xF3\xBF\x2E\x5C\x53\xB1\x5F\xB3\x7D\x32\x7F\x8A\x34\xE3\x79\x79\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3A\xE1\x09\x86\xD4\xCF\x19\xC2\x96\x76\x74\x49\x76\xDC\xE0\x35\xC6\x63\x63\x9A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x36\x67\xA1\x16\x08\xDC\xE4\x97\x00\x41\x1D\x4E\xBE\xE1\x63\x01\xCF\x3B\xAA\x42\x11\x64\xA0\x9D\x94\x39\x02\x11\x79\x5C\x7B\x1D\xFA\x64\xB9\xEE\x16\x42\xB3\xBF\x8A\xC2\x09\xC4\xEC\xE4\xB1\x4D\x02\x31\x00\xE9\x2A\x61\x47\x8C\x52\x4A\x4B\x4E\x18\x70\xF6\xD6\x44\xD6\x6E\xF5\x83\xBA\x6D\x58\xBD\x24\xD9\x56\x48\xEA\xEF\xC4\xA2\x46\x81\x88\x6A\x3A\x46\xD1\xA9\x9B\x4D\xC9\x61\xDA\xD1\x5D\x57\x6A\x18",
 	["CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5"] = "\x30\x82\x02\x1E\x30\x82\x01\xA4\xA0\x03\x02\x01\x02\x02\x11\x60\x59\x49\xE0\x26\x2E\xBB\x55\xF9\x0A\x77\x8A\x71\xF9\x4A\xD8\x6C\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x50\x31\x24\x30\x22\x06\x03\x55\x04\x0B\x13\x1B\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x45\x43\x43\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x35\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x1E\x17\x0D\x31\x32\x31\x31\x31\x33\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x39\x30\x33\x31\x34\x30\x37\x5A\x30\x50\x31\x24\x30\x22\x06\x03\x55\x04\x0B\x13\x1B\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x45\x43\x43\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x35\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x47\x45\x0E\x96\xFB\x7D\x5D\xBF\xE9\x39\xD1\x21\xF8\x9F\x0B\xB6\xD5\x7B\x1E\x92\x3A\x48\x59\x1C\xF0\x62\x31\x2D\xC0\x7A\x28\xFE\x1A\xA7\x5C\xB3\xB6\xCC\x97\xE7\x45\xD4\x58\xFA\xD1\x77\x6D\x43\xA2\xC0\x87\x65\x34\x0A\x1F\x7A\xDD\xEB\x3C\x33\xA1\xC5\x9D\x4D\xA4\x6F\x41\x95\x38\x7F\xC9\x1E\x84\xEB\xD1\x9E\x49\x92\x87\x94\x87\x0C\x3A\x85\x4A\x66\x9F\x9D\x59\x93\x4D\x97\x61\x06\x86\x4A\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3D\xE6\x29\x48\x9B\xEA\x07\xCA\x21\x44\x4A\x26\xDE\x6E\xDE\xD2\x83\xD0\x9F\x59\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xE5\x69\x12\xC9\x6E\xDB\xC6\x31\xBA\x09\x41\xE1\x97\xF8\xFB\xFD\x9A\xE2\x7D\x12\xC9\xED\x7C\x64\xD3\xCB\x05\x25\x8B\x56\xD9\xA0\xE7\x5E\x5D\x4E\x0B\x83\x9C\x5B\x76\x29\xA0\x09\x26\x21\x6A\x62\x02\x30\x71\xD2\xB5\x8F\x5C\xEA\x3B\xE1\x78\x09\x85\xA8\x75\x92\x3B\xC8\x5C\xFD\x48\xEF\x0D\x74\x22\xA8\x08\xE2\x6E\xC5\x49\xCE\xC7\x0C\xBC\xA7\x61\x69\xF1\xF7\x3B\xE1\x2A\xCB\xF9\x2B\xF3\x66\x90\x37",
-	["CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL"] = "\x30\x82\x05\x70\x30\x82\x03\x58\xA0\x03\x02\x01\x02\x02\x04\x00\x98\x96\x8D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x0C\x15\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x31\x29\x30\x27\x06\x03\x55\x04\x03\x0C\x20\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x30\x31\x32\x30\x38\x31\x31\x31\x39\x32\x39\x5A\x17\x0D\x32\x32\x31\x32\x30\x38\x31\x31\x31\x30\x32\x38\x5A\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x0C\x15\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x31\x29\x30\x27\x06\x03\x55\x04\x03\x0C\x20\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xE3\xC7\x7E\x89\xF9\x24\x4B\x3A\xD2\x33\x83\x35\x2C\x69\xEC\xDC\x09\xA4\xE3\x51\xA8\x25\x2B\x79\xB8\x08\x3D\xE0\x91\xBA\x84\x85\xC6\x85\xA4\xCA\xE6\xC9\x2E\x53\xA4\xC9\x24\x1E\xFD\x55\x66\x71\x5D\x2C\xC5\x60\x68\x04\xB7\xD9\xC2\x52\x26\x38\x88\xA4\xD6\x3B\x40\xA6\xC2\xCD\x3F\xCD\x98\x93\xB3\x54\x14\x58\x96\x55\xD5\x50\xFE\x86\xAD\xA4\x63\x7F\x5C\x87\xF6\x8E\xE6\x27\x92\x67\x17\x92\x02\x03\x2C\xDC\xD6\x66\x74\xED\xDD\x67\xFF\xC1\x61\x8D\x63\x4F\x0F\x9B\x6D\x17\x30\x26\xEF\xAB\xD2\x1F\x10\xA0\xF9\xC5\x7F\x16\x69\x81\x03\x47\xED\x1E\x68\x8D\x72\xA1\x4D\xB2\x26\xC6\xBA\x6C\x5F\x6D\xD6\xAF\xD1\xB1\x13\x8E\xA9\xAD\xF3\x5E\x69\x75\x26\x18\x3E\x41\x2B\x21\x7F\xEE\x8B\x5D\x07\x06\x9D\x43\xC4\x29\x0A\x2B\xFC\x2A\x3E\x86\xCB\x3C\x83\x3A\xF9\xC9\x0D\xDA\xC5\x99\xE2\xBC\x78\x41\x33\x76\xE1\xBF\x2F\x5D\xE5\xA4\x98\x50\x0C\x15\xDD\xE0\xFA\x9C\x7F\x38\x68\xD0\xB2\xA6\x7A\xA7\xD1\x31\xBD\x7E\x8A\x58\x27\x43\xB3\xBA\x33\x91\xD3\xA7\x98\x15\x5C\x9A\xE6\xD3\x0F\x75\xD9\xFC\x41\x98\x97\x3E\xAA\x25\xDB\x8F\x92\x2E\xB0\x7B\x0C\x5F\xF1\x63\xA9\x37\xF9\x9B\x75\x69\x4C\x28\x26\x25\xDA\xD5\xF2\x12\x70\x45\x55\xE3\xDF\x73\x5E\x37\xF5\x21\x6C\x90\x8E\x35\x5A\xC9\xD3\x23\xEB\xD3\xC0\xBE\x78\xAC\x42\x28\x58\x66\xA5\x46\x6D\x70\x02\xD7\x10\xF9\x4B\x54\xFC\x5D\x86\x4A\x87\xCF\x7F\xCA\x45\xAC\x11\x5A\xB5\x20\x51\x8D\x2F\x88\x47\x97\x39\xC0\xCF\xBA\xC0\x42\x01\x40\x99\x48\x21\x0B\x6B\xA7\xD2\xFD\x96\xD5\xD1\xBE\x46\x9D\x49\xE0\x0B\xA6\xA0\x22\x4E\x38\xD0\xC1\x3C\x30\xBC\x70\x8F\x2C\x75\xCC\xD0\xC5\x8C\x51\x3B\x3D\x94\x08\x64\x26\x61\x7D\xB9\xC3\x65\x8F\x14\x9C\x21\xD0\xAA\xFD\x17\x72\x03\x8F\xBD\x9B\x8C\xE6\x5E\x53\x9E\xB9\x9D\xEF\x82\xBB\xE1\xBC\xE2\x72\x41\x5B\x21\x94\xD3\x45\x37\x94\xD1\xDF\x09\x39\x5D\xE7\x23\xAA\x9A\x1D\xCA\x6D\xA8\x0A\x86\x85\x8A\x82\xBE\x42\x07\xD6\xF2\x38\x82\x73\xDA\x87\x5B\xE5\x3C\xD3\x9E\x3E\xA7\x3B\x9E\xF4\x03\xB3\xF9\xF1\x7D\x13\x74\x02\xFF\xBB\xA1\xE5\xFA\x00\x79\x1C\xA6\x66\x41\x88\x5C\x60\x57\xA6\x2E\x09\xC4\xBA\xFD\x9A\xCF\xA7\x1F\x40\xC3\xBB\xCC\x5A\x0A\x55\x4B\x3B\x38\x76\x51\xB8\x63\x8B\x84\x94\x16\xE6\x56\xF3\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFE\xAB\x00\x90\x98\x9E\x24\xFC\xA9\xCC\x1A\x8A\xFB\x27\xB8\xBF\x30\x6E\xA8\x3B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\xCF\x77\x2C\x6E\x56\xBE\x4E\xB3\xB6\x84\x00\x94\xAB\x47\xC9\x0D\xD2\x76\xC7\x86\x9F\x1D\x07\xD3\xB6\xB4\xBB\x08\x78\xAF\x69\xD2\x0B\x49\xDE\x33\xC5\xAC\xAD\xC2\x88\x02\x7D\x06\xB7\x35\x02\xC1\x60\xC9\xBF\xC4\xE8\x94\xDE\xD4\xD3\xA9\x13\x25\x5A\xFE\x6E\xA2\xAE\x7D\x05\xDC\x7D\xF3\x6C\xF0\x7E\xA6\x8D\xEE\xD9\xD7\xCE\x58\x17\xE8\xA9\x29\xAE\x73\x48\x87\xE7\x9B\xCA\x6E\x29\xA1\x64\x5F\x19\x13\xF7\xAE\x06\x10\xFF\x51\xC6\x9B\x4D\x55\x25\x4F\x93\x99\x10\x01\x53\x75\xF1\x13\xCE\xC7\xA6\x41\x41\xD2\xBF\x88\xA5\x7F\x45\xFC\xAC\xB8\xA5\xB5\x33\x0C\x82\xC4\xFB\x07\xF6\x6A\xE5\x25\x84\x5F\x06\xCA\xC1\x86\x39\x11\xDB\x58\xCD\x77\x3B\x2C\xC2\x4C\x0F\x5E\x9A\xE3\xF0\xAB\x3E\x61\x1B\x50\x24\xC2\xC0\xF4\xF1\x19\xF0\x11\x29\xB6\xA5\x18\x02\x9B\xD7\x63\x4C\x70\x8C\x47\xA3\x03\x43\x5C\xB9\x5D\x46\xA0\x0D\x6F\xFF\x59\x8E\xBE\xDD\x9F\x72\xC3\x5B\x2B\xDF\x8C\x5B\xCE\xE5\x0C\x46\x6C\x92\xB2\x0A\xA3\x4C\x54\x42\x18\x15\x12\x18\xBD\xDA\xFC\xBA\x74\x6E\xFF\xC1\xB6\xA0\x64\xD8\xA9\x5F\x55\xAE\x9F\x5C\x6A\x76\x96\xD8\x73\x67\x87\xFB\x4D\x7F\x5C\xEE\x69\xCA\x73\x10\xFB\x8A\xA9\xFD\x9E\xBD\x36\x38\x49\x49\x87\xF4\x0E\x14\xF0\xE9\x87\xB8\x3F\xA7\x4F\x7A\x5A\x8E\x79\xD4\x93\xE4\xBB\x68\x52\x84\xAC\x6C\xE9\xF3\x98\x70\x55\x72\x32\xF9\x34\xAB\x2B\x49\xB5\xCD\x20\x62\xE4\x3A\x7A\x67\x63\xAB\x96\xDC\x6D\xAE\x97\xEC\xFC\x9F\x76\x56\x88\x2E\x66\xCF\x5B\xB6\xC9\xA4\xB0\xD7\x05\xBA\xE1\x27\x2F\x93\xBB\x26\x2A\xA2\x93\xB0\x1B\xF3\x8E\xBE\x1D\x40\xA3\xB9\x36\x8F\x3E\x82\x1A\x1A\x5E\x88\xEA\x50\xF8\x59\xE2\x83\x46\x29\x0B\xE3\x44\x5C\xE1\x95\xB6\x69\x90\x9A\x14\x6F\x97\xAE\x81\xCF\x68\xEF\x99\x9A\xBE\xB5\xE7\xE1\x7F\xF8\xFA\x13\x47\x16\x4C\xCC\x6D\x08\x40\xE7\x8B\x78\x6F\x50\x82\x44\x50\x3F\x66\x06\x8A\xAB\x43\x84\x56\x4A\x0F\x20\x2D\x86\x0E\xF5\xD2\xDB\xD2\x7A\x8A\x4B\xCD\xA5\xE8\x4E\xF1\x5E\x26\x25\x01\x59\x23\xA0\x7E\xD2\xF6\x7E\x21\x57\xD7\x27\xBC\x15\x57\x4C\xA4\x46\xC1\xE0\x83\x1E\x0C\x4C\x4D\x1F\x4F\x06\x19\xE2\xF9\xA8\xF4\x3A\x82\xA1\xB2\x79\x43\x79\xD6\xAD\x6F\x7A\x27\x90\x03\xA4\xEA\x24\x87\x3F\xD9\xBD\xD9\xE9\xF2\x5F\x50\x49\x1C\xEE\xEC\xD7\x2E",
 	["CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US"] = "\x30\x82\x05\x60\x30\x82\x03\x48\xA0\x03\x02\x01\x02\x02\x10\x0A\x01\x42\x80\x00\x00\x01\x45\x23\xC8\x44\xB5\x00\x00\x00\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x49\x64\x65\x6E\x54\x72\x75\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x49\x64\x65\x6E\x54\x72\x75\x73\x74\x20\x43\x6F\x6D\x6D\x65\x72\x63\x69\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x31\x34\x30\x31\x31\x36\x31\x38\x31\x32\x32\x33\x5A\x17\x0D\x33\x34\x30\x31\x31\x36\x31\x38\x31\x32\x32\x33\x5A\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x49\x64\x65\x6E\x54\x72\x75\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x49\x64\x65\x6E\x54\x72\x75\x73\x74\x20\x43\x6F\x6D\x6D\x65\x72\x63\x69\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA7\x50\x19\xDE\x3F\x99\x3D\xD4\x33\x46\xF1\x6F\x51\x61\x82\xB2\xA9\x4F\x8F\x67\x89\x5D\x84\xD9\x53\xDD\x0C\x28\xD9\xD7\xF0\xFF\xAE\x95\x43\x72\x99\xF9\xB5\x5D\x7C\x8A\xC1\x42\xE1\x31\x50\x74\xD1\x81\x0D\x7C\xCD\x9B\x21\xAB\x43\xE2\xAC\xAD\x5E\x86\x6E\xF3\x09\x8A\x1F\x5A\x32\xBD\xA2\xEB\x94\xF9\xE8\x5C\x0A\xEC\xFF\x98\xD2\xAF\x71\xB3\xB4\x53\x9F\x4E\x87\xEF\x92\xBC\xBD\xEC\x4F\x32\x30\x88\x4B\x17\x5E\x57\xC4\x53\xC2\xF6\x02\x97\x8D\xD9\x62\x2B\xBF\x24\x1F\x62\x8D\xDF\xC3\xB8\x29\x4B\x49\x78\x3C\x93\x60\x88\x22\xFC\x99\xDA\x36\xC8\xC2\xA2\xD4\x2C\x54\x00\x67\x35\x6E\x73\xBF\x02\x58\xF0\xA4\xDD\xE5\xB0\xA2\x26\x7A\xCA\xE0\x36\xA5\x19\x16\xF5\xFD\xB7\xEF\xAE\x3F\x40\xF5\x6D\x5A\x04\xFD\xCE\x34\xCA\x24\xDC\x74\x23\x1B\x5D\x33\x13\x12\x5D\xC4\x01\x25\xF6\x30\xDD\x02\x5D\x9F\xE0\xD5\x47\xBD\xB4\xEB\x1B\xA1\xBB\x49\x49\xD8\x9F\x5B\x02\xF3\x8A\xE4\x24\x90\xE4\x62\x4F\x4F\xC1\xAF\x8B\x0E\x74\x17\xA8\xD1\x72\x88\x6A\x7A\x01\x49\xCC\xB4\x46\x79\xC6\x17\xB1\xDA\x98\x1E\x07\x59\xFA\x75\x21\x85\x65\xDD\x90\x56\xCE\xFB\xAB\xA5\x60\x9D\xC4\x9D\xF9\x52\xB0\x8B\xBD\x87\xF9\x8F\x2B\x23\x0A\x23\x76\x3B\xF7\x33\xE1\xC9\x00\xF3\x69\xF9\x4B\xA2\xE0\x4E\xBC\x7E\x93\x39\x84\x07\xF7\x44\x70\x7E\xFE\x07\x5A\xE5\xB1\xAC\xD1\x18\xCC\xF2\x35\xE5\x49\x49\x08\xCA\x56\xC9\x3D\xFB\x0F\x18\x7D\x8B\x3B\xC1\x13\xC2\x4D\x8F\xC9\x4F\x0E\x37\xE9\x1F\xA1\x0E\x6A\xDF\x62\x2E\xCB\x35\x06\x51\x79\x2C\xC8\x25\x38\xF4\xFA\x4B\xA7\x89\x5C\x9C\xD2\xE3\x0D\x39\x86\x4A\x74\x7C\xD5\x59\x87\xC2\x3F\x4E\x0C\x5C\x52\xF4\x3D\xF7\x52\x82\xF1\xEA\xA3\xAC\xFD\x49\x34\x1A\x28\xF3\x41\x88\x3A\x13\xEE\xE8\xDE\xFF\x99\x1D\x5F\xBA\xCB\xE8\x1E\xF2\xB9\x50\x60\xC0\x31\xD3\x73\xE5\xEF\xBE\xA0\xED\x33\x0B\x74\xBE\x20\x20\xC4\x67\x6C\xF0\x08\x03\x7A\x55\x80\x7F\x46\x4E\x96\xA7\xF4\x1E\x3E\xE1\xF6\xD8\x09\xE1\x33\x64\x2B\x63\xD7\x32\x5E\x9F\xF9\xC0\x7B\x0F\x78\x6F\x97\xBC\x93\x9A\xF9\x9C\x12\x90\x78\x7A\x80\x87\x15\xD7\x72\x74\x9C\x55\x74\x78\xB1\xBA\xE1\x6E\x70\x04\xBA\x4F\xA0\xBA\x68\xC3\x7B\xFF\x31\xF0\x73\x3D\x3D\x94\x2A\xB1\x0B\x41\x0E\xA0\xFE\x4D\x88\x65\x6B\x79\x33\xB4\xD7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xED\x44\x19\xC0\xD3\xF0\x06\x8B\xEE\xA4\x7B\xBE\x42\xE7\x26\x54\xC8\x8E\x36\x76\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x0D\xAE\x90\x32\xF6\xA6\x4B\x7C\x44\x76\x19\x61\x1E\x27\x28\xCD\x5E\x54\xEF\x25\xBC\xE3\x08\x90\xF9\x29\xD7\xAE\x68\x08\xE1\x94\x00\x58\xEF\x2E\x2E\x7E\x53\x52\x8C\xB6\x5C\x07\xEA\x88\xBA\x99\x8B\x50\x94\xD7\x82\x80\xDF\x61\x09\x00\x93\xAD\x0D\x14\xE6\xCE\xC1\xF2\x37\x94\x78\xB0\x5F\x9C\xB3\xA2\x73\xB8\x8F\x05\x93\x38\xCD\x8D\x3E\xB0\xB8\xFB\xC0\xCF\xB1\xF2\xEC\x2D\x2D\x1B\xCC\xEC\xAA\x9A\xB3\xAA\x60\x82\x1B\x2D\x3B\xC3\x84\x3D\x57\x8A\x96\x1E\x9C\x75\xB8\xD3\x30\xCD\x60\x08\x83\x90\xD3\x8E\x54\xF1\x4D\x66\xC0\x5D\x74\x03\x40\xA3\xEE\x85\x7E\xC2\x1F\x77\x9C\x06\xE8\xC1\xA7\x18\x5D\x52\x95\xED\xC9\xDD\x25\x9E\x6D\xFA\xA9\xED\xA3\x3A\x34\xD0\x59\x7B\xDA\xED\x50\xF3\x35\xBF\xED\xEB\x14\x4D\x31\xC7\x60\xF4\xDA\xF1\x87\x9C\xE2\x48\xE2\xC6\xC5\x37\xFB\x06\x10\xFA\x75\x59\x66\x31\x47\x29\xDA\x76\x9A\x1C\xE9\x82\xAE\xEF\x9A\xB9\x51\xF7\x88\x23\x9A\x69\x95\x62\x3C\xE5\x55\x80\x36\xD7\x54\x02\xFF\xF1\xB9\x5D\xCE\xD4\x23\x6F\xD8\x45\x84\x4A\x5B\x65\xEF\x89\x0C\xDD\x14\xA7\x20\xCB\x18\xA5\x25\xB4\x0D\xF9\x01\xF0\xA2\xD2\xF4\x00\xC8\x74\x8E\xA1\x2A\x48\x8E\x65\xDB\x13\xC4\xE2\x25\x17\x7D\xEB\xBE\x87\x5B\x17\x20\x54\x51\x93\x4A\x53\x03\x0B\xEC\x5D\xCA\x33\xED\x62\xFD\x45\xC7\x2F\x5B\xDC\x58\xA0\x80\x39\xE6\xFA\xD7\xFE\x13\x14\xA6\xED\x3D\x94\x4A\x42\x74\xD4\xC3\x77\x59\x73\xCD\x8F\x46\xBE\x55\x38\xEF\xFA\xE8\x91\x32\xEA\x97\x58\x04\x22\xDE\x38\xC3\xCC\xBC\x6D\xC9\x33\x3A\x6A\x0A\x69\x3F\xA0\xC8\xEA\x72\x8F\x8C\x63\x86\x23\xBD\x6D\x3C\x96\x9E\x95\xE0\x49\x4C\xAA\xA2\xB9\x2A\x1B\x9C\x36\x81\x78\xED\xC3\xE8\x46\xE2\x26\x59\x44\x75\x1E\xD9\x75\x89\x51\xCD\x10\x84\x9D\x61\x60\xCB\x5D\xF9\x97\x22\x4D\x8E\x98\xE6\xE3\x7F\xF6\x5B\xBB\xAE\xCD\xCA\x4A\x81\x6B\x5E\x0B\xF3\x51\xE1\x74\x2B\xE9\x7E\x27\xA7\xD9\x99\x49\x4E\xF8\xA5\x80\xDB\x25\x0F\x1C\x63\x62\x8A\xC9\x33\x67\x6B\x3C\x10\x83\xC6\xAD\xDE\xA8\xCD\x16\x8E\x8D\xF0\x07\x37\x71\x9F\xF2\xAB\xFC\x41\xF5\xC1\x8B\xEC\x00\x37\x5D\x09\xE5\x4E\x80\xEF\xFA\xB1\x5C\x38\x06\xA5\x1B\x4A\xE1\xDC\x38\x2D\x3C\xDC\xAB\x1F\x90\x1A\xD5\x4A\x9C\xEE\xD1\x70\x6C\xCC\xEE\xF4\x57\xF8\x18\xBA\x84\x6E\x87",
 	["CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US"] = "\x30\x82\x05\x66\x30\x82\x03\x4E\xA0\x03\x02\x01\x02\x02\x10\x0A\x01\x42\x80\x00\x00\x01\x45\x23\xCF\x46\x7C\x00\x00\x00\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x49\x64\x65\x6E\x54\x72\x75\x73\x74\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x49\x64\x65\x6E\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x53\x65\x63\x74\x6F\x72\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x31\x34\x30\x31\x31\x36\x31\x37\x35\x33\x33\x32\x5A\x17\x0D\x33\x34\x30\x31\x31\x36\x31\x37\x35\x33\x33\x32\x5A\x30\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x49\x64\x65\x6E\x54\x72\x75\x73\x74\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x49\x64\x65\x6E\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x53\x65\x63\x74\x6F\x72\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB6\x22\x94\xFC\xA4\x48\xAF\xE8\x47\x6B\x0A\xFB\x27\x76\xE4\xF2\x3F\x8A\x3B\x7A\x4A\x2C\x31\x2A\x8C\x8D\xB0\xA9\xC3\x31\x6B\xA8\x77\x76\x84\x26\xB6\xAC\x81\x42\x0D\x08\xEB\x55\x58\xBB\x7A\xF8\xBC\x65\x7D\xF2\xA0\x6D\x8B\xA8\x47\xE9\x62\x76\x1E\x11\xEE\x08\x14\xD1\xB2\x44\x16\xF4\xEA\xD0\xFA\x1E\x2F\x5E\xDB\xCB\x73\x41\xAE\xBC\x00\xB0\x4A\x2B\x40\xB2\xAC\xE1\x3B\x4B\xC2\x2D\x9D\xE4\xA1\x9B\xEC\x1A\x3A\x1E\xF0\x08\xB3\xD0\xE4\x24\x35\x07\x9F\x9C\xB4\xC9\x52\x6D\xDB\x07\xCA\x8F\xB5\x5B\xF0\x83\xF3\x4F\xC7\x2D\xA5\xC8\xAD\xCB\x95\x20\xA4\x31\x28\x57\x58\x5A\xE4\x8D\x1B\x9A\xAB\x9E\x0D\x0C\xF2\x0A\x33\x39\x22\x39\x0A\x97\x2E\xF3\x53\x77\xB9\x44\x45\xFD\x84\xCB\x36\x20\x81\x59\x2D\x9A\x6F\x6D\x48\x48\x61\xCA\x4C\xDF\x53\xD1\xAF\x52\xBC\x44\x9F\xAB\x2F\x6B\x83\x72\xEF\x75\x80\xDA\x06\x33\x1B\x5D\xC8\xDA\x63\xC6\x4D\xCD\xAC\x66\x31\xCD\xD1\xDE\x3E\x87\x10\x36\xE1\xB9\xA4\x7A\xEF\x60\x50\xB2\xCB\xCA\xA6\x56\xE0\x37\xAF\xAB\x34\x13\x39\x25\xE8\x39\x66\xE4\x98\x7A\xAA\x12\x98\x9C\x59\x66\x86\x3E\xAD\xF1\xB0\xCA\x3E\x06\x0F\x7B\xF0\x11\x4B\x37\xA0\x44\x6D\x7B\xCB\xA8\x8C\x71\xF4\xD5\xB5\x91\x36\xCC\xF0\x15\xC6\x2B\xDE\x51\x17\xB1\x97\x4C\x50\x3D\xB1\x95\x59\x7C\x05\x7D\x2D\x21\xD5\x00\xBF\x01\x67\xA2\x5E\x7B\xA6\x5C\xF2\xF7\x22\xF1\x90\x0D\x93\xDB\xAA\x44\x51\x66\xCC\x7D\x76\x03\xEB\x6A\xA8\x2A\x38\x19\x97\x76\x0D\x6B\x8A\x61\xF9\xBC\xF6\xEE\x76\xFD\x70\x2B\xDD\x29\x3C\xF8\x0A\x1E\x5B\x42\x1C\x8B\x56\x2F\x55\x1B\x1C\xA1\x2E\xB5\xC7\x16\xE6\xF8\xAA\x3C\x92\x8E\x69\xB6\x01\xC1\xB5\x86\x9D\x89\x0F\x0B\x38\x94\x54\xE8\xEA\xDC\x9E\x3D\x25\xBC\x53\x26\xED\xD5\xAB\x39\xAA\xC5\x40\x4C\x54\xAB\xB2\xB4\xD9\xD9\xF8\xD7\x72\xDB\x1C\xBC\x6D\xBD\x65\x5F\xEF\x88\x35\x2A\x66\x2F\xEE\xF6\xB3\x65\xF0\x33\x8D\x7C\x98\x41\x69\x46\x0F\x43\x1C\x69\xFA\x9B\xB5\xD0\x61\x6A\xCD\xCA\x4B\xD9\x4C\x90\x46\xAB\x15\x59\xA1\x47\x54\x29\x2E\x83\x28\x5F\x1C\xC2\xA2\xAB\x72\x17\x00\x06\x8E\x45\xEC\x8B\xE2\x33\x3D\x7F\xDA\x19\x44\xE4\x62\x72\xC3\xDF\x22\xC6\xF2\x56\xD4\xDD\x5F\x95\x72\xED\x6D\x5F\xF7\x48\x03\x5B\xFD\xC5\x2A\xA0\xF6\x73\x23\x84\x10\x1B\x01\xE7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\x71\xE0\x9E\xD8\xA7\x42\xD9\xDB\x71\x91\x6B\x94\x93\xEB\xC3\xA3\xD1\x14\xA3\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x47\xFA\xDD\x0A\xB0\x11\x91\x38\xAD\x4D\x5D\xF7\xE5\x0E\x97\x54\x19\x82\x48\x87\x54\x8C\xAA\x64\x99\xD8\x5A\xFE\x88\x01\xC5\x58\xA5\x99\xB1\x23\x54\x23\xB7\x6A\x1D\x20\x57\xE5\x01\x62\x41\x17\xD3\x09\xDB\x75\xCB\x6E\x54\x90\x75\xFE\x1A\x9F\x81\x0A\xC2\xDD\xD7\xF7\x09\xD0\x5B\x72\x15\xE4\x1E\x09\x6A\x3D\x33\xF3\x21\x9A\xE6\x15\x7E\xAD\x51\xD5\x0D\x10\xED\x7D\x42\xC0\x8F\xEE\xC0\x9A\x08\xD5\x41\xD6\x5C\x0E\x21\x69\x6E\x80\x61\x0E\x15\xC0\xB8\xCF\xC5\x49\x12\x52\xCC\xBE\x3A\xCC\xD4\x2E\x38\x05\xDE\x35\xFD\x1F\x6F\xB8\x80\x68\x98\x3D\x4D\xA0\xCA\x40\x65\xD2\x73\x7C\xF5\x8B\xD9\x0A\x95\x3F\xD8\x3F\x23\x6D\x1A\xD1\x2A\x24\x19\xD9\x85\xB3\x17\xEF\x78\x6E\xA9\x58\xD1\x23\xD3\xC7\x13\xED\x72\x25\x7F\x5D\xB1\x73\x70\xD0\x7F\x06\x97\x09\x84\x29\x80\x61\x1D\xFA\x5E\xFF\x73\xAC\xA0\xE3\x89\xB8\x1C\x71\x15\xC6\xDE\x31\x7F\x12\xDC\xE1\x6D\x9B\xAF\xE7\xE8\x9F\x75\x78\x4C\xAB\x46\x3B\x9A\xCE\xBF\x05\x18\x5D\x4D\x15\x3C\x16\x9A\x19\x50\x04\x9A\xB2\x9A\x6F\x65\x8B\x52\x5F\x3C\x58\x04\x28\x25\xC0\x66\x61\x31\x7E\xB9\xE0\x75\xB9\x1A\xA8\x81\xD6\x72\x17\xB3\xC5\x03\x31\x35\x11\x78\x78\xA2\xE0\xE9\x30\x8C\x7F\x80\xDF\x58\xDF\x3C\xBA\x27\x96\xE2\x80\x34\x6D\xE3\x98\xD3\x64\x27\xAC\x48\x7E\x28\x77\x5C\xC6\x25\x61\x25\xF8\x85\x0C\x65\xFA\xC4\x32\x2F\xA5\x98\x05\xE4\xF8\x0B\x67\x16\x16\xC6\x82\xB8\x32\x19\xF9\xF9\xB9\x79\xDC\x1F\xCD\xEB\xAF\xAB\x0E\xDD\x1B\xDB\x45\xE4\x7A\xE7\x02\xE2\x95\x5D\xFC\x69\xF0\x53\x69\x61\x95\x75\x79\x0B\x5E\x55\xE6\x38\x1C\x94\xA9\x59\x33\x9E\xC8\x71\x74\x79\x7F\x51\x89\xB6\xC8\x6A\xB8\x30\xC8\x6A\x38\xC3\x6E\x9E\xE1\x37\x16\xEA\x05\x62\x4C\x5B\x12\x47\xED\xA7\xB4\xB3\x58\x56\xC7\x49\xF3\x7F\x12\x68\x09\x31\x71\xF0\x6D\xF8\x4E\x47\xFB\xD6\x85\xEE\xC5\x58\x40\x19\xA4\x1D\xA7\xF9\x4B\x43\x37\xDC\x68\x5A\x4F\xCF\xEB\xC2\x64\x74\xDE\xB4\x15\xD9\xF4\x54\x54\x1A\x2F\x1C\xD7\x97\x71\x54\x90\x8E\xD9\x20\x9D\x53\x2B\x7F\xAB\x8F\xE2\xEA\x30\xBC\x50\x37\xEF\xF1\x47\xB5\x7D\x7C\x2C\x04\xEC\x68\x9D\xB4\x49\x44\x10\xF4\x72\x4B\x1C\x64\xE7\xFC\xE6\x6B\x90\xDD\x69\x7D\x69\xFD\x00\x56\xA5\xB7\xAC\xB6\xAD\xB7\xCA\x3E\x01\xEF\x9C",
 	["CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US"] = "\x30\x82\x04\x3E\x30\x82\x03\x26\xA0\x03\x02\x01\x02\x02\x04\x4A\x53\x8C\x28\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xBE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x65\x20\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x6C\x65\x67\x61\x6C\x2D\x74\x65\x72\x6D\x73\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x30\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x66\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x32\x30\x30\x06\x03\x55\x04\x03\x13\x29\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x39\x30\x37\x30\x37\x31\x37\x32\x35\x35\x34\x5A\x17\x0D\x33\x30\x31\x32\x30\x37\x31\x37\x35\x35\x35\x34\x5A\x30\x81\xBE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x65\x20\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x6C\x65\x67\x61\x6C\x2D\x74\x65\x72\x6D\x73\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x30\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x66\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x32\x30\x30\x06\x03\x55\x04\x03\x13\x29\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBA\x84\xB6\x72\xDB\x9E\x0C\x6B\xE2\x99\xE9\x30\x01\xA7\x76\xEA\x32\xB8\x95\x41\x1A\xC9\xDA\x61\x4E\x58\x72\xCF\xFE\xF6\x82\x79\xBF\x73\x61\x06\x0A\xA5\x27\xD8\xB3\x5F\xD3\x45\x4E\x1C\x72\xD6\x4E\x32\xF2\x72\x8A\x0F\xF7\x83\x19\xD0\x6A\x80\x80\x00\x45\x1E\xB0\xC7\xE7\x9A\xBF\x12\x57\x27\x1C\xA3\x68\x2F\x0A\x87\xBD\x6A\x6B\x0E\x5E\x65\xF3\x1C\x77\xD5\xD4\x85\x8D\x70\x21\xB4\xB3\x32\xE7\x8B\xA2\xD5\x86\x39\x02\xB1\xB8\xD2\x47\xCE\xE4\xC9\x49\xC4\x3B\xA7\xDE\xFB\x54\x7D\x57\xBE\xF0\xE8\x6E\xC2\x79\xB2\x3A\x0B\x55\xE2\x50\x98\x16\x32\x13\x5C\x2F\x78\x56\xC1\xC2\x94\xB3\xF2\x5A\xE4\x27\x9A\x9F\x24\xD7\xC6\xEC\xD0\x9B\x25\x82\xE3\xCC\xC2\xC4\x45\xC5\x8C\x97\x7A\x06\x6B\x2A\x11\x9F\xA9\x0A\x6E\x48\x3B\x6F\xDB\xD4\x11\x19\x42\xF7\x8F\x07\xBF\xF5\x53\x5F\x9C\x3E\xF4\x17\x2C\xE6\x69\xAC\x4E\x32\x4C\x62\x77\xEA\xB7\xE8\xE5\xBB\x34\xBC\x19\x8B\xAE\x9C\x51\xE7\xB7\x7E\xB5\x53\xB1\x33\x22\xE5\x6D\xCF\x70\x3C\x1A\xFA\xE2\x9B\x67\xB6\x83\xF4\x8D\xA5\xAF\x62\x4C\x4D\xE0\x58\xAC\x64\x34\x12\x03\xF8\xB6\x8D\x94\x63\x24\xA4\x71\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x6A\x72\x26\x7A\xD0\x1E\xEF\x7D\xE7\x3B\x69\x51\xD4\x6C\x8D\x9F\x90\x12\x66\xAB\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x79\x9F\x1D\x96\xC6\xB6\x79\x3F\x22\x8D\x87\xD3\x87\x03\x04\x60\x6A\x6B\x9A\x2E\x59\x89\x73\x11\xAC\x43\xD1\xF5\x13\xFF\x8D\x39\x2B\xC0\xF2\xBD\x4F\x70\x8C\xA9\x2F\xEA\x17\xC4\x0B\x54\x9E\xD4\x1B\x96\x98\x33\x3C\xA8\xAD\x62\xA2\x00\x76\xAB\x59\x69\x6E\x06\x1D\x7E\xC4\xB9\x44\x8D\x98\xAF\x12\xD4\x61\xDB\x0A\x19\x46\x47\xF3\xEB\xF7\x63\xC1\x40\x05\x40\xA5\xD2\xB7\xF4\xB5\x9A\x36\xBF\xA9\x88\x76\x88\x04\x55\x04\x2B\x9C\x87\x7F\x1A\x37\x3C\x7E\x2D\xA5\x1A\xD8\xD4\x89\x5E\xCA\xBD\xAC\x3D\x6C\xD8\x6D\xAF\xD5\xF3\x76\x0F\xCD\x3B\x88\x38\x22\x9D\x6C\x93\x9A\xC4\x3D\xBF\x82\x1B\x65\x3F\xA6\x0F\x5D\xAA\xFC\xE5\xB2\x15\xCA\xB5\xAD\xC6\xBC\x3D\xD0\x84\xE8\xEA\x06\x72\xB0\x4D\x39\x32\x78\xBF\x3E\x11\x9C\x0B\xA4\x9D\x9A\x21\xF3\xF0\x9B\x0B\x30\x78\xDB\xC1\xDC\x87\x43\xFE\xBC\x63\x9A\xCA\xC5\xC2\x1C\xC9\xC7\x8D\xFF\x3B\x12\x58\x08\xE6\xB6\x3D\xEC\x7A\x2C\x4E\xFB\x83\x96\xCE\x0C\x3C\x69\x87\x54\x73\xA4\x73\xC2\x93\xFF\x51\x10\xAC\x15\x54\x01\xD8\xFC\x05\xB1\x89\xA1\x7F\x74\x83\x9A\x49\xD7\xDC\x4E\x7B\x8A\x48\x6F\x8B\x45\xF6",
@@ -146,4 +142,12 @@ redef root_certs += {
 	["CN=Telia Root CA v2,O=Telia Finland Oyj,C=FI"] = "\x30\x82\x05\x74\x30\x82\x03\x5C\xA0\x03\x02\x01\x02\x02\x0F\x01\x67\x5F\x27\xD6\xFE\x7A\xE3\xE4\xAC\xBE\x09\x5B\x05\x9E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x49\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x54\x65\x6C\x69\x61\x20\x46\x69\x6E\x6C\x61\x6E\x64\x20\x4F\x79\x6A\x31\x19\x30\x17\x06\x03\x55\x04\x03\x0C\x10\x54\x65\x6C\x69\x61\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x76\x32\x30\x1E\x17\x0D\x31\x38\x31\x31\x32\x39\x31\x31\x35\x35\x35\x34\x5A\x17\x0D\x34\x33\x31\x31\x32\x39\x31\x31\x35\x35\x35\x34\x5A\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x49\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x54\x65\x6C\x69\x61\x20\x46\x69\x6E\x6C\x61\x6E\x64\x20\x4F\x79\x6A\x31\x19\x30\x17\x06\x03\x55\x04\x03\x0C\x10\x54\x65\x6C\x69\x61\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x76\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB2\xD0\x3F\x07\xBC\xE2\x7B\xD0\x6B\x99\xF8\xE2\x77\x69\xE7\xCE\x9D\xA4\x03\xBC\x82\x6D\xA1\xFE\x81\x65\x1F\x4C\x27\xAC\x8E\x00\xBA\x16\x7B\xEB\x30\x6A\x00\xC0\xB3\x74\x68\x7E\xB2\xAF\xC7\xD5\x62\xB3\x7A\x3F\x50\xCA\x8C\x36\x44\x24\x63\xD2\x36\xE9\x0C\x85\xF6\x43\x76\xD5\x4C\xA1\x60\x72\x67\xE2\x28\x33\xA5\xCB\x31\xB8\x3A\x22\x23\x34\xB8\x7D\xBD\x56\x22\x40\x9D\xEA\xF4\x7B\x03\xAD\x68\xFC\xB2\x81\x4F\x98\xD0\x74\xEA\x8D\xE5\x7D\xCD\x63\xC3\xA3\xF6\xDE\x92\xC2\x58\x19\xE0\x96\xBB\xC5\xC4\xA9\x3D\xA5\x74\x96\xFE\xAF\xF9\x89\xAA\xBD\x95\x17\x54\xD8\x78\x44\xF1\x0C\x77\x15\x92\xE0\x98\x42\xA7\xA4\xD6\xAA\x20\x92\xCD\xC1\xA0\xB3\x96\xB2\x3A\x84\x42\x8D\x7D\xD5\x95\xE4\xD6\xDB\xE9\x62\xC4\x58\xB3\x79\xC5\x8C\xD3\x35\x33\x83\x9F\x75\xA1\x52\x27\x61\x38\xF1\x59\x3D\x8E\x50\xE0\xBD\x79\x3C\xE7\x6C\x96\xFE\x5E\xD9\x02\x65\xB4\x8E\x5C\xD0\x11\x34\xDF\x5D\xBF\x52\xA7\x81\x00\xC3\x7F\x99\x45\x99\x15\xD5\x17\xC8\x0A\x53\xEC\x63\xF3\x99\x7D\xCC\x69\x12\x86\xC2\x17\xF0\x01\x9E\xBF\x84\xBC\xD1\x52\xCB\x1B\x92\x66\xCE\xA4\x53\xE5\xA1\xBF\xC4\xDB\x09\xD6\xE6\x89\x56\x2B\xC8\xE3\x7C\xDE\xE3\xFF\x89\xE5\x35\x6E\x28\xE8\x6C\x0B\x23\x51\xA9\x25\x05\xEB\x48\xF8\xDD\xB1\xCA\xFA\x6C\x08\x51\xEF\xB7\x18\x6C\x44\xCA\x26\xE1\x73\xC6\x89\x06\x81\xE5\x8A\xAC\xB0\xE2\x29\xC6\xB9\x24\xB3\x6B\x44\x11\xF4\xA5\x43\xC2\x4C\x43\xE5\x70\x36\x8C\xB6\x33\x57\x7A\x95\x2E\x82\xA0\xF4\x5C\x10\xB3\x61\x83\xF6\x02\x05\x86\x2E\x7C\x2D\x6C\xDC\x03\x46\x6E\x35\x93\xD5\x7A\x95\x2F\xDE\x20\xD8\x5B\x7E\x94\x90\x04\x6A\xBA\x59\x3D\x04\x05\x75\x9D\x37\xA2\x0E\x2E\x3D\xEB\xC1\xA4\x52\x83\xFE\xD0\x6B\xD4\x66\x8E\xDC\xC6\xE9\x12\x4E\x1D\x2A\x57\xAA\x10\xBC\x7C\x5E\x82\x7D\xA6\xA6\xC9\xF2\x2D\xB9\xF5\x17\x27\xAD\xD1\x0E\x89\x54\x2B\x95\xFA\xC0\xAD\x1D\x98\x14\x78\x33\x42\x86\x0A\xA9\x73\xB5\xFB\x74\x0D\xB7\x1B\x30\x19\xC4\x5A\x0E\x1C\x27\xB7\xDA\x18\xD0\xFF\x8A\xC8\x05\xBA\xF1\xAA\x1C\xA2\x37\xB7\xE6\x48\xA4\x46\x2C\x94\xEA\xA8\x76\x62\x47\x8B\x10\x53\x07\x48\x57\x6C\xE2\x92\x4D\xB6\xAE\x05\xCB\xDC\xC1\x4A\x5E\x8F\xAC\x3D\x19\x4E\xC2\xED\x60\x75\x2B\xDB\xC1\xCA\x42\xD5\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x72\xAC\xE4\x33\x79\xAA\x45\x87\xF6\xFD\xAC\x1D\x9E\xD6\xC7\x2F\x86\xD8\x24\x39\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x72\xAC\xE4\x33\x79\xAA\x45\x87\xF6\xFD\xAC\x1D\x9E\xD6\xC7\x2F\x86\xD8\x24\x39\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\xA0\x3B\x59\xA7\x09\x94\x3E\x36\x84\xD2\x7E\x2F\x39\xA5\x96\x97\xFA\x11\xAD\xFC\x67\xF3\x71\x09\xF2\xB2\x89\x84\x67\x44\xAF\xB9\xEF\xED\x96\xEC\x9C\x64\xDB\x32\x30\x6F\x67\x9A\xAC\x7E\x5F\xB2\xAB\x01\x36\x7E\x81\xFA\xE4\x84\x5E\xD2\xAC\x36\xE0\x6B\x62\xC5\x7D\x4B\x0E\x82\x6D\xD2\x76\x62\xD1\xFE\x97\xF8\x9F\x30\x7C\x18\xF9\xB4\x52\x77\x82\x1D\x76\xDB\xD3\x1D\xA9\xF0\xC1\x9A\x00\xBD\x6D\x75\xD8\x7D\xE7\xFA\xC7\x38\xA3\x9C\x70\xE8\x46\x79\x03\xAF\x2E\x74\xDB\x75\xF8\x6E\x53\x0C\x03\xC8\x99\x1A\x89\x35\x19\x3C\xD3\xC9\x54\x7C\xA8\xF0\x2C\xE6\x6E\x07\x79\x6F\x6A\xE1\xE6\xEA\x91\x82\x69\x0A\x1D\xC3\x7E\x59\xA2\x9E\x6B\x46\x15\x98\x5B\xD3\xAF\x46\x1D\x62\xC8\xCE\x80\x52\x49\x11\x3F\xC9\x04\x12\xC3\x13\x7C\x3F\x3B\x8A\x96\xDB\x3C\xA0\x1E\x0A\xB4\x8B\x54\xB2\x24\x67\x0D\xEF\x82\xCB\xBE\x3C\x7D\xD1\xE2\x7F\xAE\x16\xD6\x56\x58\xB9\xDA\x20\xB1\x83\x15\xA1\xEF\x8A\x4D\x32\x6F\x41\x2F\x13\x52\x82\x94\xD7\x1A\xC1\x78\xA2\x51\xDD\x2B\x70\x6D\xB7\x1A\xF9\xF7\xB0\xE0\x67\x97\x56\xDB\x7C\x61\x53\x09\x03\x28\x02\x40\xC7\xB3\xD8\xFD\x9C\x70\x6A\xC6\x28\xC3\x85\xE9\xE2\xED\x1A\x93\xA0\xDE\x4B\x98\xA2\x84\x3E\x05\x77\x01\x96\x3D\xFB\xB4\x20\x0F\x9C\x72\x02\x7A\x12\x2F\xD5\xA3\xBA\x51\x78\xAF\x2A\x2B\x44\x65\x4E\xB5\xFD\x0A\xE8\xC1\xCD\x79\x87\x61\x2B\xDE\x80\x57\x45\xBF\x67\xF1\x9B\x91\x5E\xA5\xA4\xEC\x59\x48\x10\x0D\x38\xC7\xB0\xFA\xC3\x44\x6D\x04\xF5\x78\x50\x1C\x92\x96\x5B\xDA\xF5\xB8\x2E\xBA\x5B\xCF\xE5\xF0\x6A\x9D\x4B\x2F\x58\x73\x2D\x4F\x2D\xC4\x1C\x3E\xF4\xB3\x3F\xAB\x15\x0E\x3B\x19\x41\x8A\xA4\xC1\x57\x12\x66\x71\x4C\xFA\x53\xE3\x57\xEB\x62\x95\x09\x9E\x54\xDD\xD1\xC2\x3C\x57\x3C\xBD\x38\xAD\x98\x64\xB7\xB8\x03\x9A\x53\x56\x60\x5D\xB3\xD8\x42\x1B\x5C\x4B\x12\x8A\x1C\xEB\xEB\x7D\xC6\x7A\x69\xC7\x27\x7F\xA4\xF8\x8B\xF2\xE4\x94\x66\x87\x4B\xE9\x94\x07\x09\x12\x79\x8A\xB2\xEB\x74\x04\xDC\xCE\xF4\x44\x59\xE0\x16\xCA\xC5\x2C\x58\xD7\x3C\x7B\xCF\x62\x86\x6A\x50\x7D\x35\x36\x66\xA7\xFB\x37\xE7\x28\xC7\xD8\xD0\xAD\xA5\x69\x94\x8F\xE8\xC1\xDF\x24\xF8\x1B\x07\x31\x87\x81\xD8\x5D\xF6\xE8\x28\xD8\x4A\x52\x80\xAC\x13\xEE\x50\x14\x1E\x98\xC7",
 	["CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE"] = "\x30\x82\x02\xDB\x30\x82\x02\x60\xA0\x03\x02\x01\x02\x02\x10\x7C\xC9\x8F\x2B\x84\xD7\xDF\xEA\x0F\xC9\x65\x9A\xD3\x4B\x4D\x96\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x48\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x44\x2D\x54\x52\x55\x53\x54\x20\x42\x52\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x20\x32\x30\x32\x30\x30\x1E\x17\x0D\x32\x30\x30\x32\x31\x31\x30\x39\x34\x35\x30\x30\x5A\x17\x0D\x33\x35\x30\x32\x31\x31\x30\x39\x34\x34\x35\x39\x5A\x30\x48\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x44\x2D\x54\x52\x55\x53\x54\x20\x42\x52\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x20\x32\x30\x32\x30\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xC6\xCB\xC7\x28\xD1\xFB\x84\xF5\x9A\xEF\x42\x14\x20\xE1\x43\x6B\x6E\x75\xAD\xFC\x2B\x03\x84\xD4\x76\x93\x25\xD7\x59\x3B\x41\x65\x6B\x1E\xE6\x34\x2A\xBB\x74\xF6\x12\xCE\xE8\x6D\xE7\xAB\xE4\x3C\x4E\x3F\x44\x08\x8B\xCD\x16\x71\xCB\xBF\x92\x99\xF4\xA4\xD7\x3C\x50\x54\x52\x90\x85\x83\x78\x94\x67\x67\xA3\x1C\x09\x19\x3D\x75\x34\x85\xDE\xED\x60\x7D\xC7\x0C\xB4\x41\x52\xB9\x6E\xE5\xEE\x42\xA3\x82\x01\x0D\x30\x82\x01\x09\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x73\x91\x10\xAB\xFF\x55\xB3\x5A\x7C\x09\x25\xD5\xB2\xBA\x08\xA0\x6B\xAB\x1F\x6D\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x81\xC6\x06\x03\x55\x1D\x1F\x04\x81\xBE\x30\x81\xBB\x30\x3E\xA0\x3C\xA0\x3A\x86\x38\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x63\x72\x6C\x2F\x64\x2D\x74\x72\x75\x73\x74\x5F\x62\x72\x5F\x72\x6F\x6F\x74\x5F\x63\x61\x5F\x31\x5F\x32\x30\x32\x30\x2E\x63\x72\x6C\x30\x79\xA0\x77\xA0\x75\x86\x73\x6C\x64\x61\x70\x3A\x2F\x2F\x64\x69\x72\x65\x63\x74\x6F\x72\x79\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x4E\x3D\x44\x2D\x54\x52\x55\x53\x54\x25\x32\x30\x42\x52\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x41\x25\x32\x30\x31\x25\x32\x30\x32\x30\x32\x30\x2C\x4F\x3D\x44\x2D\x54\x72\x75\x73\x74\x25\x32\x30\x47\x6D\x62\x48\x2C\x43\x3D\x44\x45\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x72\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x6C\x69\x73\x74\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x69\x00\x30\x66\x02\x31\x00\x94\x90\x2D\x13\xFA\xE1\x63\xF8\x61\x63\xE8\xAD\x85\x78\x54\x91\x9C\xB8\x93\x38\x3E\x1A\x41\xDA\x40\x16\x53\x42\x08\xCA\x2F\x8E\xF1\x3E\x81\x56\xC0\xAA\xD8\xED\x18\xC4\xB0\xAE\xF4\x3E\xFA\x26\x02\x31\x00\xF3\x28\xE2\xC6\xDB\x2B\x99\xFB\xB7\x51\xB8\x24\xA3\xA4\x94\x7A\x1A\x3F\xE6\x36\xE2\x03\x57\x33\x8A\x30\xCB\x82\xC7\xD6\x14\x11\xD5\x75\x63\x5B\x14\x95\x9C\x1F\x01\xCF\xD8\xD5\x72\xA7\x0F\x3B",
 	["CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE"] = "\x30\x82\x02\xDB\x30\x82\x02\x60\xA0\x03\x02\x01\x02\x02\x10\x5F\x02\x41\xD7\x7A\x87\x7C\x4C\x03\xA3\xAC\x96\x8D\xFB\xFF\xD0\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x48\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x44\x2D\x54\x52\x55\x53\x54\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x20\x32\x30\x32\x30\x30\x1E\x17\x0D\x32\x30\x30\x32\x31\x31\x31\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x35\x30\x32\x31\x31\x30\x39\x35\x39\x35\x39\x5A\x30\x48\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x44\x2D\x54\x52\x55\x53\x54\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x20\x32\x30\x32\x30\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xF1\x0B\xDD\x86\x43\x20\x19\xDF\x97\x85\xE8\x22\x4A\x9B\xCF\x9D\x98\xBF\xB4\x05\x26\xC9\xCB\xE3\xA6\xD2\x8F\xC5\x9E\x78\x7B\x31\x89\xA9\x89\xAD\x27\x3C\x65\x10\x82\xFC\xDF\xC3\x9D\x4E\xF0\x33\x23\xC4\xD2\x32\xF5\x1C\xB0\xDF\x33\x17\x5D\xC5\xF0\xB1\x8A\xF9\xEF\xB9\xB7\x14\xCA\x29\x4A\xC2\x0F\xA9\x7F\x75\x65\x49\x2A\x30\x67\xF4\x64\xF7\xD6\x1A\x77\xDA\xC3\xC2\x97\x61\x42\x7B\x49\xAD\xA3\x82\x01\x0D\x30\x82\x01\x09\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x7F\x10\x01\x16\x37\x3A\xA4\x28\xE4\x50\xF8\xA4\xF7\xEC\x6B\x32\xB6\xFE\xE9\x8B\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x81\xC6\x06\x03\x55\x1D\x1F\x04\x81\xBE\x30\x81\xBB\x30\x3E\xA0\x3C\xA0\x3A\x86\x38\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x63\x72\x6C\x2F\x64\x2D\x74\x72\x75\x73\x74\x5F\x65\x76\x5F\x72\x6F\x6F\x74\x5F\x63\x61\x5F\x31\x5F\x32\x30\x32\x30\x2E\x63\x72\x6C\x30\x79\xA0\x77\xA0\x75\x86\x73\x6C\x64\x61\x70\x3A\x2F\x2F\x64\x69\x72\x65\x63\x74\x6F\x72\x79\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x4E\x3D\x44\x2D\x54\x52\x55\x53\x54\x25\x32\x30\x45\x56\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x41\x25\x32\x30\x31\x25\x32\x30\x32\x30\x32\x30\x2C\x4F\x3D\x44\x2D\x54\x72\x75\x73\x74\x25\x32\x30\x47\x6D\x62\x48\x2C\x43\x3D\x44\x45\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x72\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x6C\x69\x73\x74\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x69\x00\x30\x66\x02\x31\x00\xCA\x3C\xC6\x2A\x75\xC2\x5E\x75\x62\x39\x36\x00\x60\x5A\x8B\xC1\x93\x99\xCC\xD9\xDB\x41\x3B\x3B\x87\x99\x17\x3B\xD5\xCC\x4F\xCA\x22\xF7\xA0\x80\xCB\xF9\xB4\xB1\x1B\x56\xF5\x72\xD2\xFC\x19\xD1\x02\x31\x00\x91\xF7\x30\x93\x3F\x10\x46\x2B\x71\xA4\xD0\x3B\x44\x9B\xC0\x29\x02\x05\xB2\x41\x77\x51\xF3\x79\x5A\x9E\x8E\x14\xA0\x4E\x42\xD2\x5B\x81\xF3\x34\x6A\x03\xE7\x22\x38\x50\x5B\xED\x19\x4F\x43\x16",
+	["CN=DigiCert TLS ECC P384 Root G5,O=DigiCert\, Inc.,C=US"] = "\x30\x82\x02\x19\x30\x82\x01\x9F\xA0\x03\x02\x01\x02\x02\x10\x09\xE0\x93\x65\xAC\xF7\xD9\xC8\xB9\x3E\x1C\x0B\x04\x2A\x2E\xF3\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x44\x69\x67\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x44\x69\x67\x69\x43\x65\x72\x74\x20\x54\x4C\x53\x20\x45\x43\x43\x20\x50\x33\x38\x34\x20\x52\x6F\x6F\x74\x20\x47\x35\x30\x1E\x17\x0D\x32\x31\x30\x31\x31\x35\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x34\x36\x30\x31\x31\x34\x32\x33\x35\x39\x35\x39\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x44\x69\x67\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x44\x69\x67\x69\x43\x65\x72\x74\x20\x54\x4C\x53\x20\x45\x43\x43\x20\x50\x33\x38\x34\x20\x52\x6F\x6F\x74\x20\x47\x35\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xC1\x44\xA1\xCF\x11\x97\x50\x9A\xDE\x23\x82\x35\x07\xCD\xD0\xCB\x18\x9D\xD2\xF1\x7F\x77\x35\x4F\x3B\xDD\x94\x72\x52\xED\xC2\x3B\xF8\xEC\xFA\x7B\x6B\x58\x20\xEC\x99\xAE\xC9\xFC\x68\xB3\x75\xB9\xDB\x09\xEC\xC8\x13\xF5\x4E\xC6\x0A\x1D\x66\x30\x4C\xBB\x1F\x47\x0A\x3C\x61\x10\x42\x29\x7C\xA5\x08\x0E\xE0\x22\xE9\xD3\x35\x68\xCE\x9B\x63\x9F\x84\xB5\x99\x4D\x58\xA0\x8E\xF5\x54\xE7\x95\xC9\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC1\x51\x45\x50\x59\xAB\x3E\xE7\x2C\x5A\xFA\x20\x22\x12\x07\x80\x88\x7C\x11\x6A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\x89\x6A\x8D\x47\xE7\xEC\xFC\x6E\x55\x03\xD9\x67\x6C\x26\x4E\x83\xC6\xFD\xC9\xFB\x2B\x13\xBC\xB7\x7A\x8C\xB4\x65\xD2\x69\x69\x63\x13\x63\x3B\x26\x50\x2E\x01\xA1\x79\x06\x91\x9D\x48\xBF\xC2\xBE\x02\x30\x47\xC3\x15\x7B\xB1\xA0\x91\x99\x49\x93\xA8\x3C\x7C\xE8\x46\x06\x8B\x2C\xF2\x31\x00\x94\x9D\x62\xC8\x89\xBD\x19\x84\x14\xE9\xA5\xFB\x01\xB8\x0D\x76\x43\x8C\x2E\x53\xCB\x7C\xDF\x0C\x17\x96\x50",
+	["CN=DigiCert TLS RSA4096 Root G5,O=DigiCert\, Inc.,C=US"] = "\x30\x82\x05\x66\x30\x82\x03\x4E\xA0\x03\x02\x01\x02\x02\x10\x08\xF9\xB4\x78\xA8\xFA\x7E\xDA\x6A\x33\x37\x89\xDE\x7C\xCF\x8A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x44\x69\x67\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x25\x30\x23\x06\x03\x55\x04\x03\x13\x1C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x54\x4C\x53\x20\x52\x53\x41\x34\x30\x39\x36\x20\x52\x6F\x6F\x74\x20\x47\x35\x30\x1E\x17\x0D\x32\x31\x30\x31\x31\x35\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x34\x36\x30\x31\x31\x34\x32\x33\x35\x39\x35\x39\x5A\x30\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x44\x69\x67\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x25\x30\x23\x06\x03\x55\x04\x03\x13\x1C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x54\x4C\x53\x20\x52\x53\x41\x34\x30\x39\x36\x20\x52\x6F\x6F\x74\x20\x47\x35\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB3\xD0\xF4\xC9\x79\x11\x9D\xFD\xFC\x66\x81\xE7\xCC\xD5\xE4\xBC\xEC\x81\x3E\x6A\x35\x8E\x2E\xB7\xE7\xDE\xAF\xF9\x07\x4D\xCF\x30\x9D\xEA\x09\x0B\x99\xBD\x6C\x57\xDA\x18\x4A\xB8\x78\xAC\x3A\x39\xA8\xA6\x48\xAC\x2E\x72\xE5\xBD\xEB\xF1\x1A\xCD\xE7\xA4\x03\xA9\x3F\x11\xB4\xD8\x2F\x89\x16\xFB\x94\x01\x3D\xBB\x2F\xF8\x13\x05\xA1\x78\x1C\x8E\x28\xE0\x45\xE0\x83\xF4\x59\x1B\x95\xB3\xAE\x7E\x03\x45\xE5\xBE\xC2\x42\xFE\xEE\xF2\x3C\xB6\x85\x13\x98\x32\x9D\x16\xA8\x29\xC2\x0B\x1C\x38\xDC\x9F\x31\x77\x5C\xBF\x27\xA3\xFC\x27\xAC\xB7\x2B\xBD\x74\x9B\x17\x2D\xF2\x81\xDA\x5D\xB0\xE1\x23\x17\x3E\x88\x4A\x12\x23\xD0\xEA\xCF\x9D\xDE\x03\x17\xB1\x42\x4A\xA0\x16\x4C\xA4\x6D\x93\xE9\x3F\x3A\xEE\x3A\x7C\x9D\x58\x9D\xF4\x4E\x8F\xFC\x3B\x23\xC8\x6D\xB8\xE2\x05\xDA\xCC\xEB\xEC\xC3\x31\xF4\xD7\xA7\x29\x54\x80\xCF\x44\x5B\x4C\x6F\x30\x9E\xF3\xCC\xDD\x1F\x94\x43\x9D\x4D\x7F\x70\x70\x0D\xD4\x3A\xD1\x37\xF0\x6C\x9D\x9B\xC0\x14\x93\x58\xEF\xCD\x41\x38\x75\xBC\x13\x03\x95\x7C\x7F\xE3\x5C\xE9\xD5\x0D\xD5\xE2\x7C\x10\x62\xAA\x6B\xF0\x3D\x76\xF3\x3F\xA3\xE8\xB0\xC1\xFD\xEF\xAA\x57\x4D\xAC\x86\xA7\x18\xB4\x29\xC1\x2C\x0E\xBF\x64\xBE\x29\x8C\xD8\x02\x2D\xCD\x5C\x2F\xF2\x7F\xEF\x15\xF4\x0C\x15\xAC\x0A\xB0\xF1\xD3\x0D\x4F\x6A\x4D\x77\x97\x01\xA0\xF1\x66\xB7\xB7\xCE\xEF\xCE\xEC\xEC\xA5\x75\xCA\xAC\xE3\xE1\x63\xF7\xB8\xA1\x04\xC8\xBC\x7B\x3F\x5D\x2D\x16\x22\x56\xED\x48\x49\xFE\xA7\x2F\x79\x30\x25\x9B\xBA\x6B\x2D\x3F\x9D\x3B\xC4\x17\xE7\x1D\x2E\xFB\xF2\xCF\xA6\xFC\xE3\x14\x2C\x96\x98\x21\x8C\xB4\x91\xE9\x19\x60\x83\xF2\x30\x2B\x06\x73\x50\xD5\x98\x3B\x06\xE9\xC7\x8A\x0C\x60\x8C\x28\xF8\x52\x9B\x6E\xE1\xF6\x4D\xBB\x06\x24\x9B\xD7\x2B\x26\x3F\xFD\x2A\x2F\x71\xF5\xD6\x24\xBE\x7F\x31\x9E\x0F\x6D\xE8\x8F\x4F\x4D\xA3\x3F\xFF\x35\xEA\xDF\x49\x5E\x41\x8F\x86\xF9\xF1\x77\x79\x4B\x1B\xB4\xA3\x5E\x2F\xFB\x46\x02\xD0\x66\x13\x5E\x5E\x85\x4F\xCE\xD8\x70\x88\x7B\xCE\x01\xB5\x96\x97\xD7\xCD\x7D\xFD\x82\xF8\xC2\x24\xC1\xCA\x01\x39\x4F\x8D\xA2\xC1\x14\x40\x1F\x9C\x66\xD5\x0C\x09\x46\xD6\xF2\xD0\xD1\x48\x76\x56\x3A\x43\xCB\xB6\x0A\x11\x39\xBA\x8C\x13\x6C\x06\xB5\x9E\xCF\xEB\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x51\x33\x1C\xED\x36\x40\xAF\x17\xD3\x25\xCD\x69\x68\xF2\xAF\x4E\x23\x3E\xB3\x41\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\x60\xA6\xAF\x5B\x5F\x57\xDA\x89\xDB\x4B\x50\xA9\xC4\x23\x35\x21\xFF\xD0\x61\x30\x84\x91\xB7\x3F\x10\xCF\x25\x8E\xC9\xBF\x46\x34\xD9\xC1\x21\x26\x1C\x70\x19\x72\x1E\xA3\xC9\x87\xFE\xA9\x43\x64\x96\x3A\xC8\x53\x04\x0A\xB6\x41\xBB\xC4\x47\x00\xD9\x9F\x18\x18\x3B\xB2\x0E\xF3\x34\xEA\x24\xF7\xDD\xAF\x20\x60\xAE\x92\x28\x5F\x36\xE7\x5D\xE4\xDE\xC7\x3C\xDB\x50\x39\xAD\xBB\x3D\x28\x4D\x96\x7C\x76\xC6\x5B\xF4\xC1\xDB\x14\xA5\xAB\x19\x62\x07\x18\x40\x5F\x97\x91\xDC\x9C\xC7\xAB\xB5\x51\x0D\xE6\x69\x53\x55\xCC\x39\x7D\xDA\xC5\x11\x55\x72\xC5\x3B\x8B\x89\xF8\x34\x2D\xA4\x17\xE5\x17\xE6\x99\x7D\x30\x88\x21\x37\xCD\x30\x17\x3D\xB8\xF2\xBC\xA8\x75\xA0\x43\xDC\x3E\x89\x4B\x90\xAE\x6D\x03\xE0\x1C\xA3\xA0\x96\x09\xBB\x7D\xA3\xB7\x2A\x10\x44\x4B\x46\x07\x34\x63\xED\x31\xB9\x04\xEE\xA3\x9B\x9A\xAE\xE6\x31\x78\xF4\xEA\x24\x61\x3B\xAB\x58\x64\xFF\xBB\x87\x27\x62\x25\x81\xDF\xDC\xA1\x2F\xF6\xED\xA7\xFF\x7A\x8F\x51\x2E\x30\xF8\xA4\x01\xD2\x85\x39\x5F\x01\x99\x96\x6F\x5A\x5B\x70\x19\x46\xFE\x86\x60\x3E\xAD\x80\x10\x09\xDD\x39\x25\x2F\x58\x7F\xBB\xD2\x74\xF0\xF7\x46\x1F\x46\x39\x4A\xD8\x53\xD0\xF3\x2E\x3B\x71\xA5\xD4\x6F\xFC\xF3\x67\xE4\x07\x8F\xDD\x26\x19\xE1\x8D\x5B\xFA\xA3\x93\x11\x9B\xE9\xC8\x3A\xC3\x55\x68\x9A\x92\xE1\x52\x76\x38\xE8\xE1\xBA\xBD\xFB\x4F\xD5\xEF\xB3\xE7\x48\x83\x31\xF0\x82\x21\xE3\xB6\xBE\xA7\xAB\x6F\xEF\x9F\xDF\x4C\xCF\x01\xB8\x62\x6A\x23\x3D\xE7\x09\x4D\x80\x1B\x7B\x30\xA4\xC3\xDD\x07\x7F\x34\xBE\xA4\x26\xB2\xF6\x41\xE8\x09\x1D\xE3\x20\x98\xAA\x37\x4F\xFF\xF7\xF1\xE2\x29\x70\x31\x47\x3F\x74\xD0\x14\x16\xFA\x21\x8A\x02\xD5\x8A\x09\x94\x77\x2E\xF2\x59\x28\x8B\x7C\x50\x92\x0A\x66\x78\x38\x83\x75\xC4\xB5\x5A\xA8\x11\xC6\xE5\xC1\x9D\x66\x55\xCF\x53\xC4\xAF\xD7\x75\x85\xA9\x42\x13\x56\xEC\x21\x77\x81\x93\x5A\x0C\xEA\x96\xD9\x49\xCA\xA1\x08\xF2\x97\x3B\x6D\x9B\x04\x18\x24\x44\x8E\x7C\x01\xF2\xDC\x25\xD8\x5E\x86\x9A\xB1\x39\xDB\xF5\x91\x32\x6A\xD1\xA6\x70\x8A\xA2\xF7\xDE\xA4\x45\x85\x26\xA8\x1E\x8C\x5D\x29\x5B\xC8\x4B\xD8\x9A\x6A\x03\x5E\x70\xF2\x85\x4F\x6C\x4B\x68\x2F\xCA\x54\xF6\x8C\xDA\x32\xFE\xC3\x6B\x83\x3F\x38\xC6\x7E",
+	["CN=Certainly Root R1,O=Certainly,C=US"] = "\x30\x82\x05\x47\x30\x82\x03\x2F\xA0\x03\x02\x01\x02\x02\x11\x00\x8E\x0F\xF9\x4B\x90\x71\x68\x65\x33\x54\xF4\xD4\x44\x39\xB7\xE0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x3D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x43\x65\x72\x74\x61\x69\x6E\x6C\x79\x31\x1A\x30\x18\x06\x03\x55\x04\x03\x13\x11\x43\x65\x72\x74\x61\x69\x6E\x6C\x79\x20\x52\x6F\x6F\x74\x20\x52\x31\x30\x1E\x17\x0D\x32\x31\x30\x34\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x34\x36\x30\x34\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x30\x3D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x43\x65\x72\x74\x61\x69\x6E\x6C\x79\x31\x1A\x30\x18\x06\x03\x55\x04\x03\x13\x11\x43\x65\x72\x74\x61\x69\x6E\x6C\x79\x20\x52\x6F\x6F\x74\x20\x52\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD0\x36\xD4\x1F\xEA\xDD\xAB\xE4\xD1\xB6\xE6\xFB\x22\xC0\xDD\x13\x0D\x6A\x7B\x22\x13\x1C\x97\x3C\x68\x63\x66\x32\x9C\x03\xB5\x8D\xA4\x81\x83\xDA\x78\x30\x11\xCF\xDC\xB2\x2B\xBE\x92\xBF\x8E\xE4\xC4\x13\xBE\xA4\x68\x4C\xDA\x02\x68\x16\x74\xBE\xB2\xDD\x04\xE4\x6B\x2A\xDD\x37\x1F\x60\x2C\xDB\xF5\xF7\xA1\x7C\x95\xB7\x0C\x70\x86\x2E\xF1\x3A\xEF\x52\xF7\xCC\xD3\x9B\xF9\x8B\xBE\x0E\xDF\x31\xB7\x9D\x68\x5C\x92\xA6\xF5\xE5\xF3\x0A\x34\xB5\xFF\x7B\xA2\xE4\x87\xA1\xC6\xAF\x17\x00\xEF\x03\x91\xED\xA9\x1C\x4E\x71\x3D\xD2\x8B\x6C\x89\xF4\x78\x86\xE6\x6A\x49\xA0\xCE\xB5\xD2\xB0\xAB\x9B\xF6\xF4\xD4\x2E\xE3\x72\xF9\x36\xC6\xEB\x15\xB7\x25\x8C\x3A\xFC\x25\x0D\xB3\x22\x73\x21\x74\xC8\x4A\x96\x61\x92\xF5\x2F\x0B\x18\xA5\xF4\xAD\xE2\xEE\x41\xBD\x01\x79\xFA\x96\x8C\x8D\x17\x02\x30\xB4\xF9\xAF\x78\x1A\x8C\xB4\x36\x10\x10\x07\x05\x70\xD0\xF4\x31\x90\x8A\x51\xC5\x86\x26\x79\xB2\x11\x88\x5E\xC5\xF0\x0A\x54\xCD\x49\xA6\xBF\x02\x9C\xD2\x44\xA7\xED\xE3\x78\xEF\x46\x5E\x6D\x71\xD1\x79\x70\x1C\x46\x5F\x51\xE9\xC9\x37\xDC\x5F\x7E\x69\x7B\x41\xDF\x34\x45\xE0\x3B\x84\xF4\xA1\x8A\x0A\x36\x9E\x37\xCC\x62\x52\xE1\x89\x0D\x28\xF9\x7A\x23\xB1\x0D\x3D\x3D\x9A\xFD\x9D\x81\xEF\x2C\x90\xC0\x7B\x44\x4E\xBB\x49\xE0\x0E\x4A\x56\x92\xBC\xCB\xB5\xDD\x79\x17\x89\x91\xDE\x61\x89\x74\x92\xA8\xE3\x32\x85\xBE\x4E\x85\xA4\x4B\x59\xCB\x2B\xC5\x78\x8E\x71\x54\xD0\x02\x37\x99\x8C\xE5\x49\xEA\xE0\x54\x72\xA4\x11\x06\x2F\x0B\x8C\xC1\x5B\xBE\xB5\xA1\xB0\x53\x6E\x9C\xB8\x60\x91\x1F\x59\x6B\xF9\x2D\xF4\x94\x0A\x97\xB5\xEC\xC5\x76\x03\x54\x1B\x65\x52\xBA\x4C\x92\x56\x51\x35\xA0\x40\xD8\x29\xDB\xAE\x52\x76\x3B\x2D\x30\x40\x9B\x8A\xD0\x42\x56\xB4\xB7\x88\x01\xA4\x87\x3B\x53\x96\xCD\xA3\x16\x8F\xF3\x66\xAA\x17\xB1\xC7\x60\xE0\xC1\x43\x05\x0C\xEE\x9B\x5B\x60\x6F\x06\x5C\x87\x5B\x27\xF9\x40\x11\x9E\x9C\x33\xC1\xB7\xE5\x35\x57\x05\x7F\x27\xCE\x17\x20\x8C\x1C\xFC\xF1\xFB\xDA\x31\x29\x49\xED\xF5\x0B\x84\xA7\x4F\xC1\xF6\x4E\xC2\x28\x9C\xFA\xEE\xE0\xAF\x07\xFB\x33\x11\x7A\x21\x4F\x0B\x21\x10\xB6\x40\x3A\xAB\x22\x3A\x04\x9C\x8B\x9B\x84\x86\x72\x9A\xD2\xA7\xA5\xC4\xB4\x75\x91\xA9\x2B\x23\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE0\xAA\x3F\x25\x8D\x9F\x44\x5C\xC1\x3A\xE8\x2E\xAE\x77\x4C\x84\x3E\x67\x0C\xF4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\xB9\x57\xAF\xB8\x12\xDA\x57\x83\x8F\x68\x0B\x33\x1D\x03\x53\x55\xF4\x95\x70\xE4\x2B\x3D\xB0\x39\xEB\xFA\x89\x62\xFD\xF7\xD6\x18\x04\x2F\x21\x34\xDD\xF1\x68\xF0\xD5\x96\x5A\xDE\xC2\x80\xA3\xC1\x8D\xC6\x6A\xF7\x59\x77\xAE\x15\x64\xCF\x5B\x79\x05\x77\x66\xEA\x8C\xD3\x6B\x0D\xDD\xF1\x59\x2C\xC1\x33\xA5\x30\x80\x15\x45\x07\x45\x1A\x31\x22\xB6\x92\x00\xAB\x99\x4D\x3A\x8F\x77\xAF\xA9\x22\xCA\x2F\x63\xCA\x15\xD6\xC7\xC6\xF0\x3D\x6C\xFC\x1C\x0D\x98\x10\x61\x9E\x11\xA2\x22\xD7\x0A\xF2\x91\x7A\x6B\x39\x0E\x2F\x30\xC3\x36\x49\x9F\xE0\xE9\x0F\x02\x44\x50\x37\x94\x55\x7D\xEA\x9F\xF6\x3B\xBA\x94\xA5\x4C\xE9\xBC\x3E\x51\xB4\xE8\xCA\x92\x36\x54\x6D\x5C\x25\x28\xDA\xDD\xAD\x14\xFD\xD3\xEE\xE2\x22\x05\xEB\xD0\xF2\xB7\x68\x12\xD7\x5A\x8A\x41\x1A\xC6\x92\xA5\x5A\x3B\x63\x45\x4F\xBF\xE1\x3A\x77\x22\x2F\x5C\xBF\x46\xF9\x5A\x03\x85\x13\x42\x5F\xCA\xDE\x53\xD7\x62\xB5\xA6\x35\x04\xC2\x47\xFF\x99\xFD\x84\xDF\x5C\xCE\xE9\x5E\x80\x28\x41\xF2\x7D\xE7\x1E\x90\xD8\x4F\x76\x3E\x82\x3C\x0D\xFC\xA5\x03\xFA\x7B\x1A\xD9\x45\x1E\x60\xDA\xC4\x8E\xF9\xFC\x2B\xC9\x7B\x95\xC5\x2A\xFF\xAA\x89\xDF\x82\x31\x0F\x72\xFF\x0C\x27\xD7\x0A\x1E\x56\x00\x50\x1E\x0C\x90\xC1\x96\xB5\xD8\x14\x85\xBB\xA7\x0D\x16\xC1\xF8\x07\x24\x1B\xBA\x85\xA1\x1A\x05\x09\x80\xBA\x95\x63\xC9\x3A\xEC\x25\x9F\x7F\x9D\xBA\xA4\x47\x15\x9B\x44\x70\xF1\x6A\x4B\xD6\x38\x5E\x43\xF3\x18\x7E\x50\x6E\xE9\x5A\x28\xE6\x65\xE6\x77\x1B\x3A\xFD\x1D\xBE\x03\x26\xA3\xDB\xD4\xE1\xBB\x7E\x96\x27\x2B\x1D\xEE\xA4\xFB\xDA\x25\x54\x13\x03\xDE\x39\xC6\xC3\x1F\x4D\x90\xEC\x8F\x1B\x4A\xD2\x1C\xED\x85\x95\x38\x50\x79\x46\xD6\xC1\x90\x50\x31\xA9\x5C\x9A\x6E\x1D\xF5\x33\x56\x8B\xA7\x99\xD2\xF2\xC8\x2C\x33\x93\x92\x30\xC7\x4E\x8C\x65\x33\x10\x64\x17\xFD\x24\x17\x96\xD1\x8D\xC2\x3A\x6A\x2B\xEB\x13\x8B\x44\xF2\x21\xF3\x4A\x1A\xB7\x77\x5F\xD7\xED\x88\xA4\x72\xE5\x39\x1F\x95\x9D\xBE\x67\xC1\x70\x11\x3D\xBB\xF4\xF8\x49\xB7\xE3\x26\x97\x3A\x9F\xD2\x5F\x7C\xFB\xC0\x99\x7C\x39\x29\xE0\x7B\x1D\xBF\x0D\xA7\x8F\xD2\x29\x34\x6E\x24\x15\xCB\xDE\x90\x5E\xBF\x1A\xC4\x66\xEA\xC2\xE6\xBA\x39\x5F\x8A\x99\xA9\x41\x59\x07\xB0\x2C\xAF",
+	["CN=Certainly Root E1,O=Certainly,C=US"] = "\x30\x82\x01\xF7\x30\x82\x01\x7D\xA0\x03\x02\x01\x02\x02\x10\x06\x25\x33\xB1\x47\x03\x33\x27\x5C\xF9\x8D\x9A\xB9\xBF\xCC\xF8\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x3D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x43\x65\x72\x74\x61\x69\x6E\x6C\x79\x31\x1A\x30\x18\x06\x03\x55\x04\x03\x13\x11\x43\x65\x72\x74\x61\x69\x6E\x6C\x79\x20\x52\x6F\x6F\x74\x20\x45\x31\x30\x1E\x17\x0D\x32\x31\x30\x34\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x34\x36\x30\x34\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x30\x3D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x43\x65\x72\x74\x61\x69\x6E\x6C\x79\x31\x1A\x30\x18\x06\x03\x55\x04\x03\x13\x11\x43\x65\x72\x74\x61\x69\x6E\x6C\x79\x20\x52\x6F\x6F\x74\x20\x45\x31\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xDE\x6F\xF8\x7F\x1C\xDF\xED\xF9\x47\x87\x86\xB1\xA4\xC0\x8A\xF8\x82\x97\x80\xEA\x8F\xC8\x4A\x5E\x2A\x7D\x88\x68\xA7\x01\x62\x14\x91\x24\x7A\x5C\x9E\xA3\x17\x7D\x8A\x86\x21\x34\x18\x50\x1B\x10\xDE\xD0\x37\x4B\x26\xC7\x19\x60\x80\xE9\x34\xBD\x60\x19\x36\x40\xD6\x29\x87\x09\x3C\x91\x7A\xF6\xBC\x13\x23\xDD\x59\x4E\x04\x5E\xCF\xC8\x02\x1C\x18\x53\xC1\x31\xD8\xDA\x20\xE9\x44\x8D\xE4\x76\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF3\x28\x18\xCB\x64\x75\xEE\x29\x2A\xEB\xED\xAE\x23\x58\x38\x85\xEB\xC8\x22\x07\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xB1\x8E\x5A\x20\xC3\xB2\x19\x62\x4D\xDE\xB0\x4F\xDF\x6E\xD2\x70\x8A\xF1\x9F\x7E\x6A\x8C\xE6\xBA\xDE\x83\x69\xCA\x69\xB3\xA9\x05\xB5\x96\x92\x17\x87\xC2\xD2\xEA\xD0\x7B\xCE\xD8\x41\x5B\x7C\xAE\x02\x30\x46\xDE\xEA\xCB\x5D\x9A\xEC\x32\xC2\x65\x16\xB0\x4C\x30\x5C\x30\xF3\xDA\x4E\x73\x86\x06\xD8\xCE\x89\x04\x48\x37\x37\xF8\xDD\x33\x51\x9D\x70\xAF\x7B\x55\xD8\x01\x2E\x7D\x05\x64\x0E\x86\xB8\x91",
+	["CN=E-Tugra Global Root CA RSA v3,OU=E-Tugra Trust Center,O=E-Tugra EBG A.S.,L=Ankara,C=TR"] = "\x30\x82\x05\xF3\x30\x82\x03\xDB\xA0\x03\x02\x01\x02\x02\x14\x0D\x4D\xC5\xCD\x16\x22\x95\x96\x08\x7E\xB8\x0B\x7F\x15\x06\x34\xFB\x79\x10\x34\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x80\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x13\x06\x41\x6E\x6B\x61\x72\x61\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x45\x2D\x54\x75\x67\x72\x61\x20\x45\x42\x47\x20\x41\x2E\x53\x2E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x45\x2D\x54\x75\x67\x72\x61\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x45\x2D\x54\x75\x67\x72\x61\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x52\x53\x41\x20\x76\x33\x30\x1E\x17\x0D\x32\x30\x30\x33\x31\x38\x30\x39\x30\x37\x31\x37\x5A\x17\x0D\x34\x35\x30\x33\x31\x32\x30\x39\x30\x37\x31\x37\x5A\x30\x81\x80\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x13\x06\x41\x6E\x6B\x61\x72\x61\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x45\x2D\x54\x75\x67\x72\x61\x20\x45\x42\x47\x20\x41\x2E\x53\x2E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x45\x2D\x54\x75\x67\x72\x61\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x45\x2D\x54\x75\x67\x72\x61\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x52\x53\x41\x20\x76\x33\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA2\x66\xF0\x89\xB7\x72\x7B\xEE\x09\xC9\x63\xD2\xD3\x43\xDD\x5E\xC3\xA6\x84\x38\x4A\xF1\x8D\x81\xBB\x14\xBD\x47\xE8\x40\x17\xF3\x3D\xC3\x78\x45\x72\xA6\x2E\x90\xDE\x9A\x3A\xD4\x20\x71\xCA\xBC\x9F\x1D\x4B\x97\x0A\xC7\x31\xBA\x3E\xD7\xFE\x25\xA9\x2A\x8E\x36\xF4\xD1\x2F\xC7\xB7\xA9\x5D\x33\xDC\x30\x70\xF8\x40\x6C\x4B\xB2\xA6\x31\x61\xD1\x34\x3C\x3D\x31\x7A\xC7\xAF\xC4\xA7\xA7\x84\xE1\x97\xA4\xE8\x4B\xF6\x17\x7C\xEE\x3C\x07\xED\xE2\x8A\x57\xDC\xB6\xFB\xF8\x43\x25\x50\xEA\x27\x81\xA8\x86\xBC\x8F\x52\x4A\x96\x3A\x60\x1A\x96\xBB\xFD\x73\xF4\x85\xFD\x83\xFD\x7F\x84\x6D\x34\x6C\x7F\x6A\xB7\x4B\x01\x03\xBF\xAD\x69\xB7\xD7\x32\xD9\xF5\x57\x6A\xE9\x86\x82\x3E\xA5\x66\x31\xB3\x16\x3D\xC2\xF3\x26\x60\x32\xD3\x52\x1E\xB0\x6C\xA4\x37\x3E\xF4\xF5\xAF\xEB\xE1\xDF\x80\x06\xCF\x2A\x41\xE7\x66\x09\xE1\x4B\x97\xE7\x77\xBD\x21\x6D\x29\xB6\x67\xC3\x2D\x7E\xED\xD6\x79\x65\xD1\xCF\x3A\xB6\xD1\xB1\x5E\x56\x61\x50\x7A\x5A\xCE\x4E\x50\x31\x80\x03\x98\x47\xE7\xE4\x18\x7C\x44\x5A\xC6\xA4\xB3\x3B\xC6\xC6\xC3\x3A\xF0\x6C\xC3\x8B\xC8\xA4\x91\x05\xF3\xF5\xD9\xB6\xAA\x06\xA1\xB7\xAB\xE4\xB1\xEA\x21\x14\x5C\x83\xA4\xFC\xFF\xB6\x50\xD3\x8C\x12\x26\x99\x76\x70\xE9\xC0\x0F\xA6\x74\xFC\xBB\xD0\x1B\x78\xCE\x72\x92\xE2\x28\x9C\xBC\xE6\xE9\x09\xD8\x3A\xD3\x89\xE6\xBE\x2E\x77\xDF\x01\x0A\x6F\x96\xF6\xE5\x8D\x3C\x4D\x52\x76\x1A\x56\xE1\x73\x7E\x17\xAC\x3D\xAD\x6C\xA3\x52\x12\x18\x70\xE6\x80\x4E\x33\xF2\x7E\x26\x32\xAC\x05\x8D\x38\xA4\xE6\x76\x3C\x9F\x10\x69\x0E\x6D\x9D\xD2\xC1\x79\x20\x6B\x5B\xCF\x33\x8D\xD1\x94\x76\x35\xE7\x5D\x55\xC7\xB7\xAC\x28\xAB\x46\xCC\xE7\x3B\x21\xB5\x0A\x0A\xE4\x4A\x59\xDC\x81\x35\x4B\x44\x95\x12\x0A\x67\xA5\xA1\xFF\x5B\x00\x07\xD2\xC0\xCC\xF9\x3F\xFC\x9F\x33\xF2\x00\xF8\x8C\x6C\x87\x9D\x06\x2D\xF1\xEF\xE3\xE6\x06\xFA\xC5\x66\x13\x5B\xFC\x50\x07\x9E\x71\x86\xB2\xDA\x6F\x74\x30\xCF\x93\x53\xE8\xDC\x22\xD6\xDE\x20\x1F\x61\x8D\xA3\x2E\xA3\x78\x32\x90\x6C\xDC\xAC\x32\xB5\x05\xE4\xF5\x3C\x33\x0D\xD6\xE0\x87\x77\x17\x4C\x9D\xB0\xD8\x09\xA8\x0D\x57\xF7\x44\x85\xF0\xC8\x04\xBE\x5C\x5D\x5A\xE3\x17\x8E\x54\x63\x69\x7F\x49\x74\x64\x05\x8C\xA3\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xB2\xB4\xAE\xE6\x2D\xF7\x26\xD5\xAA\x75\x2D\x76\x4B\xC0\x1B\x53\x21\xD0\x48\xEF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB2\xB4\xAE\xE6\x2D\xF7\x26\xD5\xAA\x75\x2D\x76\x4B\xC0\x1B\x53\x21\xD0\x48\xEF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x89\xA8\x72\x7F\x8C\xEB\xCE\x2E\x18\xC4\x10\x80\x2D\x10\x0C\xFF\xFB\x14\xCD\x04\xE0\x14\x3C\x4E\x9A\xFB\x9F\x29\xBF\x22\x9E\x57\xB9\x82\x73\x12\x63\x26\xB5\xCC\x90\xE9\xD2\x2A\x29\xEE\x9C\x2D\xCC\x2C\x99\xBE\x45\x27\xE4\xB1\x71\xED\xE4\x38\x95\x31\x41\xF2\x7D\x7A\x63\x78\xDF\xCA\x36\x16\x2F\x82\x88\x9F\xBC\x11\x47\x4F\x76\x4D\xC8\x2D\x8E\xEB\xDF\x2D\x7C\x4E\x3B\xDA\xAE\xF6\xE3\xDA\x5D\x14\xA6\xAE\xE8\x85\x44\x9D\x06\x6E\x8E\xFB\xEF\x7A\x4A\x6A\x2D\x2B\x28\x18\xFE\xBF\x90\x2C\x75\x16\x9F\x0F\xEA\x96\x7D\x05\xEE\x9B\x13\xA5\x44\x6C\xF8\x03\xD0\xDD\x23\xE1\xFD\x03\x12\x12\x08\xF4\x18\x34\xB3\xE0\x37\x0B\x77\x11\x01\x48\xBF\x61\xB4\xB5\xF8\x19\xD9\xCB\x4D\xEA\xA3\x8C\xEF\xFD\xF0\x06\xB5\x6D\x92\xF4\x4A\x61\x50\x84\xED\xEC\x49\xD3\xE4\xBE\x68\xE6\x2E\xE3\x31\x0B\x54\x0B\x1A\x92\xD6\x82\xD8\xB6\xA2\x65\x3C\x66\x04\xF9\x55\xDA\x6C\xFB\xDB\xB5\x14\x66\x4D\x94\x83\x3B\xCD\x1E\xA6\x2B\xB2\xFE\x77\x40\x86\xAB\xE7\xDF\x0A\xC9\xFD\xF6\xDD\x87\x56\x18\xD8\xB0\x2C\x55\x60\x96\xFA\x08\x7E\x52\x90\xF5\x4B\xA6\x2E\x87\x7C\xCB\x20\xDB\x06\x3E\xA0\x5D\x03\x77\x7D\xA2\x3C\x13\x1B\x29\xA2\x13\x55\xA0\x3D\x14\x22\xAF\x6F\xB8\xD0\x9A\x1B\x72\xDD\x05\x01\x8D\x86\x60\xBF\xA4\x67\xEE\xB5\xA5\x0D\xD1\x7F\xE6\x1A\x2B\x62\x66\xC3\x07\xBA\xE7\xA0\x48\x1C\x38\xC3\xE9\x45\xFB\xA7\x7F\xFC\xED\x02\x68\x1A\xCA\x77\x12\x77\xA6\x00\x55\x28\x14\xEC\xD6\xC7\x12\xA2\x1B\x65\x42\xE9\x91\xE8\xCB\x3E\x87\x89\x54\x5D\xD9\xAF\x9D\x97\x9C\x69\xE7\x0A\xFF\x0F\x5A\x78\x8B\x63\x2A\x4C\x7D\x47\x94\x3F\xDE\x4B\xE9\x53\xD0\x30\xF1\xC5\xF6\x9E\x49\xDF\x3B\xA0\x91\xA3\xA3\xFE\xCD\x58\xCC\xEA\xDF\xAF\x6F\x28\x3B\xA0\x69\x9B\x8F\xEC\xAC\xAE\x2B\x54\x9D\x9B\x04\xB1\x47\x20\xAF\x96\x12\x3E\x63\x94\x1D\x04\xE7\x2E\xBB\x86\xC7\x0C\x9A\x88\xBF\x76\x47\xEF\xF7\xB0\x0B\x97\x66\xD2\x44\xCF\x60\x52\x07\xE1\xD5\x2C\x4A\x3A\x27\x61\x77\xCA\xD7\x8F\xE7\x87\x0E\x30\xFF\x0C\xBB\x04\xE2\x61\xC3\xA2\xC8\x97\x61\x8E\xB4\x30\x6A\x3C\x6D\xC2\x07\x5F\x4A\x73\x2F\x3F\xF9\x16\x8A\x01\x66\xEF\xBA\x91\xCA\x52\x57\x7B\xAE\xD4\xE6\x0F\xDD\x0B\x7A\x7F\x8B\x9E\x26\x20\xCF\x3B\xEF\x81\x71\x83\x59",
+	["CN=E-Tugra Global Root CA ECC v3,OU=E-Tugra Trust Center,O=E-Tugra EBG A.S.,L=Ankara,C=TR"] = "\x30\x82\x02\xA5\x30\x82\x02\x2A\xA0\x03\x02\x01\x02\x02\x14\x26\x46\x19\x77\x31\xE1\x4F\x6F\x28\x36\xDE\x39\x51\x86\xE6\xD4\x97\x88\x22\xC1\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x80\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x13\x06\x41\x6E\x6B\x61\x72\x61\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x45\x2D\x54\x75\x67\x72\x61\x20\x45\x42\x47\x20\x41\x2E\x53\x2E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x45\x2D\x54\x75\x67\x72\x61\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x45\x2D\x54\x75\x67\x72\x61\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x45\x43\x43\x20\x76\x33\x30\x1E\x17\x0D\x32\x30\x30\x33\x31\x38\x30\x39\x34\x36\x35\x38\x5A\x17\x0D\x34\x35\x30\x33\x31\x32\x30\x39\x34\x36\x35\x38\x5A\x30\x81\x80\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x13\x06\x41\x6E\x6B\x61\x72\x61\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x45\x2D\x54\x75\x67\x72\x61\x20\x45\x42\x47\x20\x41\x2E\x53\x2E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x45\x2D\x54\x75\x67\x72\x61\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x26\x30\x24\x06\x03\x55\x04\x03\x13\x1D\x45\x2D\x54\x75\x67\x72\x61\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x45\x43\x43\x20\x76\x33\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x8E\x98\x29\xBF\xC7\x10\x1E\x27\xDB\xAB\x03\xCC\x28\x2C\xD8\x5E\x48\x19\x10\x29\xCC\xCB\x59\x81\xCC\x8C\xB8\x92\x17\x89\x83\x2A\x92\xF6\xC3\xA4\x1D\x4C\x62\xD5\x9F\xD6\xA0\x46\xDC\x1C\xBC\x76\xC1\xE3\x47\xD0\x5B\x13\xDA\xE7\xA5\xB3\x66\x48\xE7\x21\x9A\x4A\x4F\x86\x0A\x7D\x6C\xEA\x4D\x32\x80\x0A\xB2\x7A\x09\x9B\x69\x4B\x98\x81\xE2\x2E\xEC\x02\x70\x96\x1F\xFD\xF5\x46\xCE\xCA\xDC\x82\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xFF\x82\x31\x72\x3E\xF9\xC4\x66\x6C\xAD\x38\x9E\xD1\xB0\x51\x88\xA5\x90\xCC\xF5\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFF\x82\x31\x72\x3E\xF9\xC4\x66\x6C\xAD\x38\x9E\xD1\xB0\x51\x88\xA5\x90\xCC\xF5\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x69\x00\x30\x66\x02\x31\x00\xE6\x05\x58\x69\x61\xE5\x2D\xCA\x0D\xCB\xF1\x19\x08\xBD\xD6\xFD\x51\x92\x1A\x7E\x63\x54\x04\x90\x91\x9A\x35\x91\x39\x99\xFA\x07\xA9\x66\x93\xBA\xC8\x68\xD4\x8A\x3F\xFA\xED\x6E\x16\x02\x27\xB7\x02\x31\x00\xDD\x5A\x17\x2B\x76\x1D\x65\x42\x96\xA6\xAC\x5D\x8A\x79\x56\xD8\x8A\x1B\xDF\x9A\xDE\x5F\xC7\x50\x8F\xB1\x5B\x71\x0C\x26\xDF\x6A\x40\x00\xEC\x33\x91\x21\x71\xBE\x68\xE4\x23\xA4\xD9\xAD\xA1\x37",
+	["CN=Security Communication RootCA3,O=SECOM Trust Systems CO.\,LTD.,C=JP"] = "\x30\x82\x05\x7F\x30\x82\x03\x67\xA0\x03\x02\x01\x02\x02\x09\x00\xE1\x7C\x37\x40\xFD\x1B\xFE\x67\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x33\x30\x1E\x17\x0D\x31\x36\x30\x36\x31\x36\x30\x36\x31\x37\x31\x36\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x30\x36\x31\x37\x31\x36\x5A\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x33\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xE3\xC9\x72\x49\xF7\x30\xDE\x09\x7C\xA9\x40\x81\x58\xD3\xB4\x3A\xDD\xBA\x61\x0F\x93\x50\x6E\x69\x3C\x35\xC2\xEE\x5B\x73\x90\x1B\x67\x4C\x21\xEC\x5F\x35\xBB\x39\x3E\x2B\x0A\x60\xEF\xBB\x6D\x2B\x86\xFB\x71\xA2\xC8\xAC\xE4\x56\x94\xF9\xC9\xAF\xB1\x72\xD4\x20\xAC\x74\xD2\xB8\x15\xAD\x51\xFE\x85\x74\xA1\xB9\x10\xFE\x05\x80\xF9\x52\x93\xB3\x40\x3D\x75\x10\xAC\xC0\x96\xB7\xA7\x7E\x76\xBC\xE3\x1B\x52\x19\xCE\x11\x1F\x0B\x04\x34\xF5\xD8\xF5\x69\x3C\x77\xF3\x64\xF4\x0D\xAA\x85\xDE\xE0\x09\x50\x04\x17\x96\x84\xB7\xC8\x8A\xBC\x4D\x72\xFC\x1C\xBB\xCF\xF3\x06\x4D\xF9\x9F\x64\xF7\x7E\xA6\x66\x86\x35\x71\xC8\x11\x80\x4C\xC1\x71\x40\x58\x1E\xBE\xA0\x73\xF6\xFC\x3E\x50\xE1\xE0\x2F\x26\x3D\x7E\x5C\x23\xB5\x79\x70\xDE\xFA\xE0\xD1\xA5\xD6\x0C\x41\x71\x7B\xF7\xEA\x8C\x1C\x88\xC7\xEC\x8B\xF5\xD1\x2F\x55\x96\x46\x7C\x5A\x3B\x58\x3B\xFB\xBA\xD8\x2D\xB5\x25\xDA\x7A\x4E\xCF\x44\xAE\x21\xA6\x9E\x98\xCA\x20\x6E\x7C\xBB\x88\x85\x5B\xFB\xC0\x10\x62\xBB\xF2\xF9\x27\x47\xEF\xD1\x89\x39\x43\xC4\xDF\xDE\xE1\x41\xBF\x54\x73\x20\x97\x2D\x6C\xDA\xF3\xD4\x07\xA3\xE6\xB9\xD8\x6F\xAE\xFC\x8C\x19\x2E\xD3\x67\x67\x2B\x95\xDB\x58\x5C\xB5\x6A\x02\xF3\xB8\x83\x5E\xB4\x6B\xBE\x41\x7E\x57\x09\x75\x44\x50\x55\xCD\x5A\x11\x61\x21\x0A\x61\xC2\xA9\x88\xFD\x13\xBC\x2D\x89\x2F\xCD\x61\xE0\x95\xBE\xCA\xB5\x7B\xE1\x7B\x34\x67\x0B\x1F\xB6\x0C\xC7\x7C\x1E\x19\x53\xCA\xA7\xB1\x4A\x15\x20\x56\x14\x70\x3D\x2B\x82\x2C\x0F\x9D\x15\x1D\x47\x80\x47\xFF\x78\x99\x0E\x31\xAF\x6F\x3E\x8F\xED\x86\x69\x1E\x7B\x18\x88\x14\xB2\xC2\xFC\x82\x33\x2E\x9C\x4B\x2D\xFB\x70\x3B\x71\xAA\x2B\x7B\x26\x27\xF3\x1A\xC2\xDC\xFB\x17\xB8\xA1\xEA\xCB\xA0\xB4\xAE\xD3\x94\x7E\x7A\xD0\xAB\xC3\xEC\x38\x2D\x11\x2E\x88\xBF\xD4\x3F\xAD\x12\x3B\x42\xAC\x8F\x02\x6E\x7D\xCC\xD1\x5F\x61\xBE\xA1\xBC\x3A\x6A\x48\xEA\x26\x55\x22\x16\x5D\x5F\x0D\xFF\x27\x33\x9F\x18\x03\x74\x8A\x5B\x52\x20\x47\x6B\x45\x4D\x22\x77\x8C\x55\x27\xF0\xAF\x1E\x8C\xC9\x83\x22\x54\xB7\x9A\xD0\x4F\xD9\xCE\xFC\xD9\x2E\x1C\x96\x28\xB1\x02\xD3\x03\xBD\x25\x52\x1C\x34\x66\x4F\x23\xAB\xF4\x77\x82\x96\x1D\xD1\x57\x30\x08\x11\x05\xFD\x57\xD1\xD9\xC7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x64\x14\x7C\xFC\x58\x72\x16\xA6\x0A\x29\x34\x15\x6F\x2A\xCB\xBC\xFC\xAF\xA8\xAB\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\xDC\x02\x23\x08\xE2\xEF\x21\x3A\xC7\x0D\xB7\x26\xD2\x62\x93\xA7\xA5\x23\x72\x07\x20\x82\x60\xDF\x18\xD7\x54\xAD\x69\x25\x92\x9E\xD9\x14\xCF\x99\xB9\x52\x81\xCF\xAE\x6C\x8A\x3B\x5A\x39\xC8\x6C\x01\x43\xC2\x22\x6D\x02\xF0\x62\xCD\x4E\x63\x43\xC0\x14\xDA\xF4\x63\xF0\xEA\xF4\x71\xEE\x4E\x87\xE3\x71\xA9\xF4\xC9\x57\xE5\x2E\x5F\x1C\x79\xBB\x23\xAA\x87\x44\x57\xE9\xBD\x35\x4D\x41\xBB\x4B\x28\xA3\x98\xB2\x1B\xD9\x0B\x17\x07\xE5\xF7\xEA\x9D\xF5\x76\xD7\xBF\xC4\xB6\x81\x58\xFF\xC8\xFF\x64\x69\x62\x79\xAD\x6E\x0E\x1F\x7F\xEE\x1D\x69\xE5\xB7\x72\x71\xB3\xFE\xA5\x01\x35\x94\x54\x2B\xC0\x52\x6D\x8F\x55\xC4\xC9\xD2\xB8\xCB\xCA\x34\x08\x51\x85\xA0\xF5\xBC\xB4\x17\x58\xEA\x0A\x5C\x7A\xBD\x63\xC6\x3A\x2F\xFF\x96\x49\x19\x84\xEA\x67\xD8\x04\xB1\x61\xF4\x00\x5B\x4A\xB7\x9C\x71\x37\x19\x85\x79\xBF\x81\xB0\xC7\x13\x0E\x76\x71\x3E\x3A\x80\x06\xAE\x06\x16\xA7\x8D\xB5\xC2\xC4\xCB\xFF\x40\xA5\x5C\x8D\xA5\xC9\x3A\xED\x72\x81\xCA\x5C\x98\x3C\xD2\x34\x03\x77\x08\xFD\xF0\x29\x59\x5D\x21\x08\xC7\x60\xBF\xA4\x71\x7B\xB8\xD9\x1E\x82\xBE\x09\xAF\x65\x6F\x28\xAB\xBF\x4B\xB5\xEE\x3E\x08\x47\x27\xA0\x0F\x6F\x0F\x8B\x3F\xAC\x95\x18\xF3\xB9\x0E\xDC\x67\x55\x6E\x62\x9E\x46\x0E\xD1\x04\x78\xCA\x72\xAE\x76\xD9\xA5\xF8\xB2\xDF\x88\x09\x61\x8B\xEF\x24\x4E\xD1\x59\x3F\x5A\xD4\x3D\xC9\x93\x3C\x2B\x64\xF5\x81\x0D\x16\x96\xF7\x92\xC3\xFE\x31\x6F\xE8\x2A\x32\x74\x0E\xF4\x4C\x98\x4A\x18\x0E\x30\x54\xD5\xC5\xEB\xBC\xC5\x15\x9E\xE8\x99\x21\xEB\x27\x2B\x09\x0A\xDB\xF1\xE6\x70\x18\x56\xBB\x0C\xE4\xBE\xF9\xE8\x10\xA4\x13\x92\xB8\x1C\xE0\xDB\x67\x1D\x53\x03\xA4\x22\xA7\xDC\x5D\x92\x10\x3C\xEA\xFF\xFC\x1B\x10\x1A\xC3\xD8\xD0\x9C\x9D\x65\xCB\xD0\x2B\x27\x31\x03\x1E\x36\xE1\x3D\x76\x75\x0C\xFF\x45\x26\xB9\xDD\x51\xBC\x23\xC7\x5F\xD8\xD8\x87\x10\x40\x12\x0D\x3D\x38\x37\xE7\x44\x3C\x18\xC0\x53\x09\x64\x8F\xFF\xD5\x9A\xA6\x7C\x70\x2E\x73\x55\x21\xE8\xDF\xFF\x83\xB9\x1D\x3E\x32\x1E\xD6\xA6\x7D\x2C\xF1\x66\xE9\x5C\x1D\xA7\xA3\xCE\x5E\x25\x32\x2B\xE3\x95\xAC\x2A\x07\xCE\xB4\x28\x78\x86\x3C\x2D\xA6\x9D\x4D\xD2\x74\x30\xDD\x64\x51\x15\xDB\x83\x83\x51\xD7\xAF\xFD\x33\x9D\x4D\x66",
+	["CN=Security Communication ECC RootCA1,O=SECOM Trust Systems CO.\,LTD.,C=JP"] = "\x30\x82\x02\x38\x30\x82\x01\xBE\xA0\x03\x02\x01\x02\x02\x09\x00\xD6\x5D\x9B\xB3\x78\x81\x2E\xEB\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x45\x43\x43\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x1E\x17\x0D\x31\x36\x30\x36\x31\x36\x30\x35\x31\x35\x32\x38\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x30\x35\x31\x35\x32\x38\x5A\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x45\x43\x43\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xA4\xA5\x6F\x60\x03\x03\xC3\xBD\x31\xF4\xD3\x17\x9C\x2B\x84\x75\xAC\xE5\xFD\x3D\x57\x6E\xD7\x63\xBF\xE6\x04\x89\x92\x8E\x81\x9C\xE3\xE9\x47\x6E\xCA\x90\x12\xC8\x13\xE0\xA7\x9D\xF7\x65\x74\x1F\x6C\x10\xB2\xE8\xE4\xE9\xEF\x6D\x85\x32\x99\x44\xB1\x5E\xFD\xCC\x76\x10\xD8\x5B\xBD\xA2\xC6\xF9\xD6\x42\xE4\x57\x76\xDC\x90\xC2\x35\xA9\x4B\x88\x3C\x12\x47\x6D\x5C\xFF\x49\x4F\x1A\x4A\x50\xB1\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x86\x1C\xE7\xFE\x2D\xA5\x4A\x8B\x08\xFE\x28\x11\xFA\xBE\xA3\x66\xF8\x60\x59\x2F\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x15\x5D\x42\x3D\xFC\xB6\xEE\xF7\x3B\xB1\x36\xE8\x9E\xF6\xC4\x46\x28\x49\x33\xD0\x58\x43\x2A\x63\x29\xCC\x4D\xB1\xB4\x7A\xA2\xB9\x0D\x38\xA5\x5D\x48\x2A\xFD\xCB\xB2\x73\x5D\xA3\x88\x08\xC7\x0C\x02\x31\x00\xC0\xAB\x2D\x0E\x6D\xED\x18\xA2\xDB\x53\xE9\x25\xDB\x55\x08\xE0\x50\xCC\xDF\x44\x61\x16\x82\xAB\x49\xB0\xB2\x81\xEC\x73\x87\x78\xB4\x4C\xB2\x62\x1B\x12\xFA\x16\x4D\x25\x4B\x63\xBD\x1E\x37\xD9",
 };
diff --git a/scripts/policy/frameworks/netcontrol/catch-and-release.zeek b/scripts/policy/frameworks/netcontrol/catch-and-release.zeek
index fed7486fd1..f0e1008a78 100644
--- a/scripts/policy/frameworks/netcontrol/catch-and-release.zeek
+++ b/scripts/policy/frameworks/netcontrol/catch-and-release.zeek
@@ -244,7 +244,7 @@ event zeek_init()
 
 @endif
 
-function cr_check_rule(r: Rule): bool
+function cr_check_rule(r: Rule): bool &is_used
 	{
 	if ( r$ty == DROP && r$entity$ty == ADDRESS )
 		{
diff --git a/scripts/policy/frameworks/notice/community-id.zeek b/scripts/policy/frameworks/notice/community-id.zeek
index 5f16b64285..122d3adba5 100644
--- a/scripts/policy/frameworks/notice/community-id.zeek
+++ b/scripts/policy/frameworks/notice/community-id.zeek
@@ -22,14 +22,7 @@ export {
 
 hook Notice::notice(n: Notice::Info)
 	{
-	if ( CommunityID::Notice::enabled && n?$conn && n$conn?$conn )
-		{
-		local info = n$conn$conn;
-		# This is set during new_connection(), so it should
-		# always be there, but better safe than sorry.
-		if ( info?$community_id )
-			n$community_id = info$community_id;
-		}
+	if ( CommunityID::Notice::enabled && n?$conn )
+		n$community_id = community_id_v1(n$conn$id);
 	}
-
 @endif
diff --git a/scripts/policy/frameworks/spicy/record-spicy-batch.zeek b/scripts/policy/frameworks/spicy/record-spicy-batch.zeek
new file mode 100644
index 0000000000..ddea432053
--- /dev/null
+++ b/scripts/policy/frameworks/spicy/record-spicy-batch.zeek
@@ -0,0 +1,90 @@
+##! Saves all input traffic in Spicy's batch format.
+
+module SpicyBatch;
+
+export {
+    const filename = "batch.dat" &redef;
+}
+
+redef tcp_content_deliver_all_orig=T;
+redef tcp_content_deliver_all_resp=T;
+redef udp_content_deliver_all_orig=T;
+redef udp_content_deliver_all_resp=T;
+
+global output: file;
+global conns: set[conn_id];
+global num_conns = 0;
+
+function id(c: connection) : string
+	{
+	local cid = c$id;
+	local proto = "???";
+
+	if ( is_tcp_port(cid$orig_p) )
+		proto = "tcp";
+	else if ( is_udp_port(cid$orig_p) )
+		proto = "udp";
+	else if ( is_icmp_port(cid$orig_p) )
+		proto = "icmp";
+
+	return fmt("%s-%d-%s-%d-%s", cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, proto);
+	}
+
+function begin(c: connection, type_: string)
+	{
+	add conns[c$id];
+	++num_conns;
+	print fmt("tracking %s", c$id);
+
+	local id_ = id(c);
+	print output, fmt("@begin-conn %s %s %s-orig %s%%orig %s-resp %s%%resp\n", id_, type_, id_, c$id$resp_p, id_, c$id$resp_p);
+	}
+
+event zeek_init()
+	{
+	output = open(filename);
+	enable_raw_output(output);
+	print output, "!spicy-batch v2\n";
+	}
+
+event new_connection_contents(c: connection)
+	{
+	begin(c, "stream");
+	}
+
+event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string)
+	{
+	print output, fmt("@data %s-%s %d\n", id(c), (is_orig ? "orig" : "resp"), |contents|);
+	print output, contents;
+	print output, "\n";
+	}
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	print output, fmt("@gap %s-%s %d\n", id(c), (is_orig ? "orig" : "resp"), length);
+	}
+
+event udp_contents(c: connection, is_orig: bool, contents: string)
+	{
+	if ( c$id !in conns )
+		begin(c, "block");
+
+	print output, fmt("@data %s-%s %d\n", id(c), (is_orig ? "orig" : "resp"), |contents|);
+	print output, contents;
+	print output, "\n";
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id !in conns )
+		return;
+
+	print output, fmt("@end-conn %s\n", id(c));
+	}
+
+event zeek_done()
+	{
+	close(output);
+	print fmt("recorded %d session%s total", num_conns, (num_conns > 1 ? "s" : ""));
+	print fmt("output in %s", filename);
+	}
diff --git a/scripts/policy/frameworks/spicy/resource-usage.zeek b/scripts/policy/frameworks/spicy/resource-usage.zeek
new file mode 100644
index 0000000000..d5daf8c404
--- /dev/null
+++ b/scripts/policy/frameworks/spicy/resource-usage.zeek
@@ -0,0 +1,20 @@
+##! Logs Spicy-related resource usage continously for debugging purposes.
+
+module Spicy;
+
+event print_usage()
+	{
+	local r = Spicy::resource_usage();
+
+	print fmt("%.6f Spicy user=%f sys=%f heap=%d current_fibers=%d cached_fibers=%d max_fibers=%d max_stack=%d",
+	    network_time(), r$user_time, r$system_time, r$memory_heap,
+	    r$num_fibers, r$cached_fibers, r$max_fibers,
+	    r$max_fiber_stack_size);
+
+	schedule 1 min { print_usage() };
+	}
+
+event zeek_init()
+	{
+	schedule 1 min { print_usage() };
+	}
diff --git a/scripts/policy/misc/stats.zeek b/scripts/policy/misc/stats.zeek
index d64406e217..4562f91a93 100644
--- a/scripts/policy/misc/stats.zeek
+++ b/scripts/policy/misc/stats.zeek
@@ -123,22 +123,33 @@ global packets_filtered_cf = Telemetry::register_counter_family([
     $help_text="Total number of packets filtered",
 ]);
 
+global packet_lag_gf = Telemetry::register_gauge_family([
+    $prefix="zeek",
+    $name="net-packet-lag",
+    $unit="seconds",
+    $help_text="Difference of network time and wallclock time in seconds.",
+]);
+
+global no_labels: vector of string;
+
 hook Telemetry::sync() {
 	local net_stats = get_net_stats();
-	Telemetry::counter_family_set(bytes_received_cf, vector(), net_stats$bytes_recvd);
-	Telemetry::counter_family_set(packets_received_cf, vector(), net_stats$pkts_recvd);
+	Telemetry::counter_family_set(bytes_received_cf, no_labels, net_stats$bytes_recvd);
+	Telemetry::counter_family_set(packets_received_cf, no_labels, net_stats$pkts_recvd);
 
 	if ( reading_live_traffic() )
 		{
-		Telemetry::counter_family_set(packets_dropped_cf, vector(), net_stats$pkts_dropped);
-		Telemetry::counter_family_set(link_packets_cf, vector(), net_stats$pkts_link);
+		Telemetry::counter_family_set(packets_dropped_cf, no_labels, net_stats$pkts_dropped);
+		Telemetry::counter_family_set(link_packets_cf, no_labels, net_stats$pkts_link);
 
 		if ( net_stats?$pkts_filtered )
-			Telemetry::counter_family_set(packets_filtered_cf, vector(), net_stats$pkts_filtered);
+			Telemetry::counter_family_set(packets_filtered_cf, no_labels, net_stats$pkts_filtered);
+
+		Telemetry::gauge_family_set(packet_lag_gf, no_labels,
+		                            interval_to_double(current_time() - network_time()));
 		}
 }
 
-
 event zeek_init() &priority=5
 	{
 	Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats", $policy=log_policy]);
diff --git a/scripts/policy/protocols/conn/community-id-logging.zeek b/scripts/policy/protocols/conn/community-id-logging.zeek
index 82bb9049a5..a08430727b 100644
--- a/scripts/policy/protocols/conn/community-id-logging.zeek
+++ b/scripts/policy/protocols/conn/community-id-logging.zeek
@@ -17,10 +17,7 @@ export {
 	};
 }
 
-module Conn;
-
-event new_connection(c: connection)
+event connection_state_remove(c: connection)
 	{
-	Conn::set_conn(c, F);  # likely first to access :-/
 	c$conn$community_id = community_id_v1(c$id, CommunityID::seed, CommunityID::do_base64);
 	}
diff --git a/scripts/spicy/zeek.spicy b/scripts/spicy/zeek.spicy
new file mode 100644
index 0000000000..4f4467008d
--- /dev/null
+++ b/scripts/spicy/zeek.spicy
@@ -0,0 +1,157 @@
+# Copyright (c) 2020-2021 by the Zeek Project. See LICENSE for details.
+
+module zeek;
+
+# Note: Retain the formatting here, doc/scripts/autogen-spicy-lib is picking up on that.
+
+%cxx-include = "zeek/spicy/runtime-support.h";
+
+## [Deprecated] Triggers a DPD protocol confirmation for the current connection.
+##
+## This function has been deprecated and will be removed. Use ``spicy::accept_input``
+## instead, which will have the same effect with Zeek.
+public function confirm_protocol() : void &cxxname="zeek::spicy::rt::confirm_protocol";
+
+## [Deprecated] Triggers a DPD protocol violation for the current connection.
+##
+## This function has been deprecated and will be removed. Use ``spicy::decline_input``
+## instead, which will have the same effect with Zeek.
+public function reject_protocol(reason: string) : void &cxxname="zeek::spicy::rt::reject_protocol";
+
+## Reports a "weird" to Zeek. This should be used with similar semantics as in
+## Zeek: something quite unexpected happening at the protocol level, which however
+## does not prevent us from continuing to process the connection.
+##
+## id: the name of the weird, which (just like in Zeek) should be a *static*
+## string identifying the situation reported (e.g., ``unexpected_command``).
+##
+## addl: additional information to record along with the weird
+public function weird(id: string, addl: string = "") &cxxname="zeek::spicy::rt::weird";
+
+## Returns true if we're currently parsing the originator side of a connection.
+public function is_orig() : bool &cxxname="zeek::spicy::rt::is_orig";
+
+## Returns the current connection's UID.
+public function uid() : string &cxxname="zeek::spicy::rt::uid";
+
+## Returns the current connection's 4-tuple ID.
+public function conn_id() : tuple<orig_h: addr, orig_p: port, resp_h: addr, resp_p: port> &cxxname="zeek::spicy::rt::conn_id";
+
+## Instructs Zeek to flip the directionality of the current connection.
+public function flip_roles() : void &cxxname="zeek::spicy::rt::flip_roles";
+
+## Returns the number of packets seen so far on the current side of the current connection.
+public function number_packets() : uint64 &cxxname="zeek::spicy::rt::number_packets";
+
+## Opaque handle to a protocol analyzer.
+public type ProtocolHandle = __library_type("zeek::spicy::rt::ProtocolHandle");
+
+## Adds a Zeek-side child protocol analyzer to the current connection.
+##
+## If the same analyzer was added previously with protocol_handle_get_or_create or
+## protocol_begin with same argument, and not closed with protocol_handle_close
+## or protocol_end, no new analyzer will be added.
+##
+## See `protocol_handle_get_or_create` for the error semantics of this function.
+##
+## analyzer: type of analyzer to instantiate, specified through its Zeek-side
+## name (similar to what Zeek's signature action `enable` takes); if not
+## specified, Zeek will perform its usual dynamic protocol detection to figure
+## out how to parse the data (the latter will work only for TCP protocols, though.)
+public function protocol_begin(analyzer: optional<string> = Null) : void &cxxname="zeek::spicy::rt::protocol_begin";
+
+## Gets a handle to a Zeek-side child protocol analyzer for the current connection.
+##
+## If no such child exists it will be added; otherwise a handle to the
+## existing child protocol analyzer will be returned.
+##
+## This function will return an error
+##
+## - if not called from a protocol analyzer, or
+## - the requested child protocol analyzer is unknown, or
+## - creation of a child analyzer of the requested type was prevented by a
+##   previous call of `disable_analyzer` with `prevent=T`
+##
+## analyzer: type of analyzer to instantiate, specified through its Zeek-side
+## name (similar to what Zeek's signature action `enable` takes).
+public function protocol_handle_get_or_create(analyzer: string) : ProtocolHandle &cxxname="zeek::spicy::rt::protocol_handle_get_or_create";
+
+## Forwards protocol data to all previously instantiated Zeek-side child protocol analyzers.
+##
+## is_orig: true to feed the data to the child's originator side, false for the responder
+## data: chunk of data to forward to child analyzer
+## h: optional handle to the child analyzer to forward data into, else forward to all child analyzers
+public function protocol_data_in(is_orig: bool, data: bytes, h: optional<ProtocolHandle> = Null) : void &cxxname="zeek::spicy::rt::protocol_data_in";
+
+## Signals a gap in input data to all previously instantiated Zeek-side child protocol analyzers.
+##
+## is_orig: true to signal gap to the child's originator side, false for the responder
+## offset: start offset of gap in input stream
+## len: size of gap
+## h: optional handle to the child analyzer signal a gap to, else signal to all child analyzers
+public function protocol_gap(is_orig: bool, offset: uint64, len: uint64, h: optional<ProtocolHandle> = Null) : void &cxxname="zeek::spicy::rt::protocol_gap";
+
+## Signals end-of-data to all previously instantiated Zeek-side child protocol
+## analyzers and removes them.
+public function protocol_end() : void &cxxname="zeek::spicy::rt::protocol_end";
+
+## Signals end-of-data to the given child analyzer and removes it.
+##
+## The given handle must be live, i.e., it must not have been used in a
+## previous protocol_handle_close call, and must not have been live when
+## protocol_end was called. If the handle is not live a runtime error will
+## be triggered.
+##
+## handle: handle to the child analyzer to remove
+public function protocol_handle_close(handle: ProtocolHandle): void &cxxname="zeek::spicy::rt::protocol_handle_close";
+
+## Signals the beginning of a file to Zeek's file analysis, associating it with the current connection.
+## Optionally, a mime type can be provided. It will be passed on to Zeek's file analysis framework.
+## Returns the Zeek-side file ID of the new file.
+public function file_begin(mime_type: optional<string> = Null) : string &cxxname="zeek::spicy::rt::file_begin";
+
+## Returns the current file's FUID.
+public function fuid() : string &cxxname="zeek::spicy::rt::fuid";
+
+## Terminates the currently active Zeek-side session, flushing all state. Any
+## subsequent activity will start a new session from scratch. This can only be
+## called from inside a protocol analyzer.
+public function terminate_session() : void &cxxname="zeek::spicy::rt::terminate_session";
+
+## Signals the expected size of a file to Zeek's file analysis.
+##
+## size: expected size of file
+## fid: Zeek-side ID of the file to operate on; if not given, the file started by the most recent file_begin() will be used
+public function file_set_size(size: uint64, fid: optional<string> = Null) : void &cxxname="zeek::spicy::rt::file_set_size";
+
+## Passes file content on to Zeek's file analysis.
+##
+## data: chunk of raw data to pass into analysis
+## fid: Zeek-side ID of the file to operate on; if not given, the file started by the most recent file_begin() will be used
+public function file_data_in(data: bytes, fid: optional<string> = Null) : void &cxxname="zeek::spicy::rt::file_data_in";
+
+## Passes file content at a specific offset on to Zeek's file analysis.
+##
+## data: chunk of raw data to pass into analysis
+## offset: position in file where data starts
+## fid: Zeek-side ID of the file to operate on; if not given, the file started by the most recent file_begin() will be used
+public function file_data_in_at_offset(data: bytes, offset: uint64, fid: optional<string> = Null) : void &cxxname="zeek::spicy::rt::file_data_in_at_offset";
+
+## Signals a gap in a file to Zeek's file analysis.
+##
+## offset: position in file where gap starts
+## len: size of gap
+## fid: Zeek-side ID of the file to operate on; if not given, the file started by the most recent file_begin() will be used
+public function file_gap(offset: uint64, len: uint64, fid: optional<string> = Null) : void &cxxname="zeek::spicy::rt::file_gap";
+
+## Signals the end of a file to Zeek's file analysis.
+##
+## fid: Zeek-side ID of the file to operate on; if not given, the file started by the most recent file_begin() will be used
+public function file_end(fid: optional<string> = Null) : void &cxxname="zeek::spicy::rt::file_end";
+
+## Inside a packet analyzer, forwards what data remains after parsing the top-level unit
+## on to another analyzer. The index specifies the target, per the current dispatcher table.
+public function forward_packet(identifier: uint32) : void &cxxname="zeek::spicy::rt::forward_packet";
+
+## Gets the network time from Zeek.
+public function network_time() : time &cxxname="zeek::spicy::rt::network_time";
diff --git a/scripts/spicy/zeek_file.spicy b/scripts/spicy/zeek_file.spicy
new file mode 100644
index 0000000000..71082f9be9
--- /dev/null
+++ b/scripts/spicy/zeek_file.spicy
@@ -0,0 +1,31 @@
+# Copyright (c) 2020-2021 by the Zeek Project. See LICENSE for details.
+#
+# TODO: This code would ideally just be a part of zeek.spicy, but that would
+# come with compilation overhead currently even if not used, see
+# https://github.com/zeek/spicy/issues/301.
+
+module zeek_file;
+
+import zeek;
+
+## Convenience wrapper for passing content into Zeek's file analysis.
+## After connecting an instance of this unit type to a sink, all data
+## sent to the sink will be passed on to Zeek as a file.
+##
+## mime_type: MIME type of the file's content, if known; will be passed on to Zeek
+## size: Total number of bytes the file contains, if known; will be passed on to Zeek
+public type File = unit(mime_type: optional<string> = Null, size: optional<uint64> = Null) {
+    on %init {
+       self.fid = zeek::file_begin(mime_type);
+
+       if ( size )
+           zeek::file_set_size(*size, self.fid);
+    }
+
+    : bytes &chunked &eod { zeek::file_data_in($$, self.fid); }
+
+    on %finally { zeek::file_end(self.fid); }
+
+    ## Zeek-side file ID
+    var fid: string;
+};
diff --git a/scripts/spicy/zeek_rt.hlt b/scripts/spicy/zeek_rt.hlt
new file mode 100644
index 0000000000..3f5ea23d26
--- /dev/null
+++ b/scripts/spicy/zeek_rt.hlt
@@ -0,0 +1,46 @@
+
+module zeek_rt {
+
+import hilti;
+
+%cxx-include = "zeek/spicy/runtime-support.h";
+
+public type Val = __library_type("::zeek::ValPtr");
+public type BroType = __library_type("::zeek::TypePtr");
+public type EventHandlerPtr = __library_type("::zeek::EventHandlerPtr");
+public type PortRange = __library_type("::zeek::spicy::rt::PortRange");
+
+declare public PortRange make_port_range(port begin_, port end_) &cxxname="zeek::spicy::rt::make_port_range" &have_prototype;
+
+type ZeekTypeTag = enum {
+    Addr, Any, Bool, Count, Double, Enum, Error, File, Func, Int, Interval, List, Opaque, Pattern, Port, Record, String, Subnet, Table, Time, Type, Vector, Void
+} &cxxname="::zeek::spicy::rt::ZeekTypeTag";
+
+declare public void register_protocol_analyzer(string name, hilti::Protocol protocol, vector<PortRange> ports, string parser_orig, string parser_resp, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_protocol_analyzer" &have_prototype;
+declare public void register_file_analyzer(string name, vector<string> mime_types, string parser, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_file_analyzer" &have_prototype;
+declare public void register_packet_analyzer(string name, string parser, string replaces, string linker_scope) &cxxname="zeek::spicy::rt::register_packet_analyzer" &have_prototype;
+declare public void register_type(string ns, string id, BroType t) &cxxname="zeek::spicy::rt::register_type" &have_prototype;
+
+declare public bool have_handler(EventHandlerPtr handler) &cxxname="zeek::spicy::rt::have_handler" &have_prototype;
+declare public EventHandlerPtr internal_handler(string event) &cxxname="zeek::spicy::rt::internal_handler" &have_prototype;
+declare public void install_handler(string event) &cxxname="zeek::spicy::rt::install_handler" &have_prototype;
+
+declare public void raise_event(EventHandlerPtr handler, vector<Val> args) &cxxname="zeek::spicy::rt::raise_event" &have_prototype;
+declare public BroType event_arg_type(EventHandlerPtr handler, uint<64> idx) &cxxname="zeek::spicy::rt::event_arg_type" &have_prototype;
+declare public Val to_val(any x, BroType target) &cxxname="zeek::spicy::rt::to_val" &have_prototype;
+
+type RecordField = tuple<string, BroType, bool>; # (ID, type, optional)
+declare public BroType create_base_type(ZeekTypeTag tag) &cxxname="zeek::spicy::rt::create_base_type" &have_prototype;
+declare public BroType create_enum_type(string ns, string id, vector<tuple<string, int<64>>> labels) &cxxname="zeek::spicy::rt::create_enum_type" &have_prototype;
+declare public BroType create_record_type(string ns, string id, vector<RecordField> fields) &cxxname="zeek::spicy::rt::create_record_type" &have_prototype;
+declare public BroType create_table_type(BroType key, optional<BroType> value = Null) &cxxname="zeek::spicy::rt::create_table_type" &have_prototype;
+declare public BroType create_vector_type(BroType elem) &cxxname="zeek::spicy::rt::create_vector_type" &have_prototype;
+
+declare public Val current_conn() &cxxname="zeek::spicy::rt::current_conn" &have_prototype;
+declare public Val current_file() &cxxname="zeek::spicy::rt::current_file" &have_prototype;
+declare public Val current_packet() &cxxname="zeek::spicy::rt::current_packet" &have_prototype;
+declare public Val current_is_orig() &cxxname="zeek::spicy::rt::current_is_orig" &have_prototype;
+
+declare public void debug(string msg) &cxxname="zeek::spicy::rt::debug" &have_prototype;
+
+}
diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek
index 389dd1d442..285d1f1198 100644
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@@ -72,6 +72,8 @@
 @load frameworks/packet-filter/shunt.zeek
 @load frameworks/software/version-changes.zeek
 @load frameworks/software/vulnerable.zeek
+# @load frameworks/spicy/record-spicy-batch.zeek
+# @load frameworks/spicy/resource-usage.zeek
 @load frameworks/software/windows-version-detection.zeek
 @load frameworks/telemetry/log.zeek
 @load integration/collective-intel/__load__.zeek
diff --git a/scripts/zeekygen/__load__.zeek b/scripts/zeekygen/__load__.zeek
index e5eb9a45ba..d7280b018c 100644
--- a/scripts/zeekygen/__load__.zeek
+++ b/scripts/zeekygen/__load__.zeek
@@ -13,6 +13,11 @@
 @load policy/misc/dump-events.zeek
 @load policy/protocols/conn/speculative-service.zeek
 
+@if ( have_spicy() )
+@load frameworks/spicy/record-spicy-batch.zeek
+@load frameworks/spicy/resource-usage.zeek
+@endif
+
 @load ./example.zeek
 
 event zeek_init()
diff --git a/auxil/spicy/spicy-path.in b/spicy-path.in
similarity index 54%
rename from auxil/spicy/spicy-path.in
rename to spicy-path.in
index 3fab168230..464b56510f 100755
--- a/auxil/spicy/spicy-path.in
+++ b/spicy-path.in
@@ -4,7 +4,7 @@
 # Spicy tooling in the build tree.
 
 PATHS=.
-PATHS=$PATHS:@CMAKE_SOURCE_DIR@/auxil/spicy/spicy/spicy/lib
-PATHS=$PATHS:@CMAKE_SOURCE_DIR@/auxil/spicy/spicy/hilti/lib
+PATHS=$PATHS:@CMAKE_SOURCE_DIR@/auxil/spicy/spicy/lib
+PATHS=$PATHS:@CMAKE_SOURCE_DIR@/auxil/spicy/hilti/lib
 
 echo $PATHS
diff --git a/src/3rdparty b/src/3rdparty
index 58e63b262e..410ada8bbe 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 58e63b262e542895024c821e791214008604cd55
+Subproject commit 410ada8bbe5839807a459a99c1b77221f790f1be
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 7ade806201..627bb17c57 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -1,121 +1,102 @@
-include_directories(BEFORE
-                    ${CMAKE_CURRENT_SOURCE_DIR}
-                    ${CMAKE_CURRENT_SOURCE_DIR}/include
-                    ${CMAKE_CURRENT_BINARY_DIR}
-                    ${CMAKE_CURRENT_BINARY_DIR}/include
-)
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/include
+                    ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_BINARY_DIR}/include)
 
 # Force creation of includes symlink. This can't just be in the src directory
 # because MSVC will end up with an include loop.
-execute_process(COMMAND "${CMAKE_COMMAND}" -E make_directory
-                "${CMAKE_CURRENT_SOURCE_DIR}/include")
-execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink
-                ".."
-                "${CMAKE_CURRENT_SOURCE_DIR}/include/zeek")
+execute_process(COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_CURRENT_SOURCE_DIR}/include")
+execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink ".."
+                        "${CMAKE_CURRENT_SOURCE_DIR}/include/zeek")
 
 # Allows header file inclusion via zeek/ within the build tree
-execute_process(COMMAND "${CMAKE_COMMAND}" -E make_directory
-                "${CMAKE_CURRENT_BINARY_DIR}/include")
-execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink
-                ".."
-                "${CMAKE_CURRENT_BINARY_DIR}/include/zeek")
+execute_process(COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_CURRENT_BINARY_DIR}/include")
+execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink ".."
+                        "${CMAKE_CURRENT_BINARY_DIR}/include/zeek")
 
 # Poor man's JSON escaping as this is rendered into a C string.
 string(REPLACE "\"" "\\\"" ZEEK_BUILD_INFO_ESCAPED "${ZEEK_BUILD_INFO}")
 string(REPLACE "\n" "\\n" ZEEK_BUILD_INFO_ESCAPED "${ZEEK_BUILD_INFO_ESCAPED}")
 configure_file(version.c.in ${CMAKE_CURRENT_BINARY_DIR}/version.c)
-configure_file(util-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/util-config.h)
 
-# This creates a custom command to transform a bison output file (inFile)
-# into outFile in order to avoid symbol conflicts:
-# - replaces instances of 'yylex' in inFile with yylexPrefix
-# - replaces instances of 'yy' in inFile with yyPrefix
-# - deletes instances of 'extern char.*getenv' in inFile
-# - writes results to outFile and adds it to list TRANSFORMED_BISON_OUTPUTS
-macro(REPLACE_YY_PREFIX_TARGET inFile outFile yylexPrefix yyPrefix)
+# This creates a custom command to transform a bison output file (inFile) into
+# outFile in order to avoid symbol conflicts: - replaces instances of 'yylex' in
+# inFile with yylexPrefix - replaces instances of 'yy' in inFile with yyPrefix -
+# deletes instances of 'extern char.*getenv' in inFile - writes results to
+# outFile and adds it to list TRANSFORMED_BISON_OUTPUTS
+macro (REPLACE_YY_PREFIX_TARGET inFile outFile yylexPrefix yyPrefix)
     set(args "\"/extern char.*getenv/d")
     set(args "${args}\;s/yylex/${yylexPrefix}lex/")
     set(args "${args}\;s/yy/${yyPrefix}/g\"" < ${inFile} > ${outFile})
-    add_custom_command(OUTPUT ${outFile}
-                       COMMAND ${SED_EXE}
-                       ARGS ${args}
-                       DEPENDS ${inFile}
-                       COMMENT "[sed] replacing stuff in ${inFile}"
-    )
+    add_custom_command(
+        OUTPUT ${outFile}
+        COMMAND ${SED_EXE} ARGS ${args}
+        DEPENDS ${inFile}
+        COMMENT "[sed] replacing stuff in ${inFile}")
     list(APPEND TRANSFORMED_BISON_OUTPUTS ${outFile})
-endmacro(REPLACE_YY_PREFIX_TARGET)
+endmacro (REPLACE_YY_PREFIX_TARGET)
 
-########################################################################
-## Create targets to generate parser and scanner code
+# ##############################################################################
+# Create targets to generate parser and scanner code
 
 set(BISON_FLAGS "--debug")
 
-if ( MSVC )
+if (MSVC)
     set(SIGN_COMPARE_FLAG "/wd4018")
-else()
+else ()
     set(SIGN_COMPARE_FLAG "-Wno-sign-compare")
-endif()
+endif ()
 
 # Rule parser/scanner
-bison_target(RuleParser rule-parse.y
-             ${CMAKE_CURRENT_BINARY_DIR}/rup.cc
-             HEADER ${CMAKE_CURRENT_BINARY_DIR}/rup.h
-             #VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/rule_parse.output
-             COMPILE_FLAGS "${BISON_FLAGS}")
+bison_target(
+    RuleParser rule-parse.y ${CMAKE_CURRENT_BINARY_DIR}/rup.cc
+    DEFINES_FILE ${CMAKE_CURRENT_BINARY_DIR}/rup.h
+    # VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/rule_parse.output
+    COMPILE_FLAGS "${BISON_FLAGS}")
 replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rup.cc
-                         ${CMAKE_CURRENT_BINARY_DIR}/rule-parse.cc
-                         rules_ rules_)
-replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rup.h
-                         ${CMAKE_CURRENT_BINARY_DIR}/rule-parse.h
+                         ${CMAKE_CURRENT_BINARY_DIR}/rule-parse.cc rules_ rules_)
+replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rup.h ${CMAKE_CURRENT_BINARY_DIR}/rule-parse.h
                          rules_ rules_)
 flex_target(RuleScanner rule-scan.l ${CMAKE_CURRENT_BINARY_DIR}/rule-scan.cc
             COMPILE_FLAGS "-Prules_")
 set_property(SOURCE rule-scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "${SIGN_COMPARE_FLAG}")
 
 # RE parser/scanner
-bison_target(REParser re-parse.y
-             ${CMAKE_CURRENT_BINARY_DIR}/rep.cc
-             HEADER ${CMAKE_CURRENT_BINARY_DIR}/re-parse.h
-             #VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/re_parse.output
-             COMPILE_FLAGS "${BISON_FLAGS}")
-replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rep.cc
-                         ${CMAKE_CURRENT_BINARY_DIR}/re-parse.cc
+bison_target(
+    REParser re-parse.y ${CMAKE_CURRENT_BINARY_DIR}/rep.cc
+    DEFINES_FILE ${CMAKE_CURRENT_BINARY_DIR}/re-parse.h
+                 # VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/re_parse.output
+    COMPILE_FLAGS "${BISON_FLAGS}")
+replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rep.cc ${CMAKE_CURRENT_BINARY_DIR}/re-parse.cc
                          re_ RE_)
-flex_target(REScanner re-scan.l ${CMAKE_CURRENT_BINARY_DIR}/re-scan.cc
-            COMPILE_FLAGS "-Pre_")
+flex_target(REScanner re-scan.l ${CMAKE_CURRENT_BINARY_DIR}/re-scan.cc COMPILE_FLAGS "-Pre_")
 add_flex_bison_dependency(REScanner REParser)
 set_property(SOURCE re-scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "${SIGN_COMPARE_FLAG}")
 
 # Parser/Scanner
-bison_target(Parser parse.y
-             ${CMAKE_CURRENT_BINARY_DIR}/p.cc
-             HEADER ${CMAKE_CURRENT_BINARY_DIR}/zeekparse.h
-             #VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/parse.output
-             COMPILE_FLAGS "${BISON_FLAGS}")
-replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/p.cc
-                         ${CMAKE_CURRENT_BINARY_DIR}/parse.cc
-                         zeek yy)
-flex_target(Scanner scan.l ${CMAKE_CURRENT_BINARY_DIR}/scan.cc
-            COMPILE_FLAGS "-Pzeek")
+bison_target(
+    Parser parse.y ${CMAKE_CURRENT_BINARY_DIR}/p.cc
+    DEFINES_FILE ${CMAKE_CURRENT_BINARY_DIR}/zeekparse.h
+    # VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/parse.output
+    COMPILE_FLAGS "${BISON_FLAGS}")
+replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/p.cc ${CMAKE_CURRENT_BINARY_DIR}/parse.cc zeek
+                         yy)
+flex_target(Scanner scan.l ${CMAKE_CURRENT_BINARY_DIR}/scan.cc COMPILE_FLAGS "-Pzeek")
 set_property(SOURCE scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "${SIGN_COMPARE_FLAG}")
 
 # Add a dependency for the generated files to zeek_autogen_files.
 add_custom_target(
     zeek_bison_outputs
-    DEPENDS
-        ${CMAKE_CURRENT_BINARY_DIR}/parse.cc
-        ${CMAKE_CURRENT_BINARY_DIR}/re-parse.cc
-        ${CMAKE_CURRENT_BINARY_DIR}/re-parse.h
-        ${CMAKE_CURRENT_BINARY_DIR}/re-scan.cc
-        ${CMAKE_CURRENT_BINARY_DIR}/rule-parse.cc
-        ${CMAKE_CURRENT_BINARY_DIR}/rule-parse.h
-        ${CMAKE_CURRENT_BINARY_DIR}/rule-scan.cc
-        ${CMAKE_CURRENT_BINARY_DIR}/scan.cc
-)
+    DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/parse.cc
+            ${CMAKE_CURRENT_BINARY_DIR}/re-parse.cc
+            ${CMAKE_CURRENT_BINARY_DIR}/re-parse.h
+            ${CMAKE_CURRENT_BINARY_DIR}/re-scan.cc
+            ${CMAKE_CURRENT_BINARY_DIR}/rule-parse.cc
+            ${CMAKE_CURRENT_BINARY_DIR}/rule-parse.h
+            ${CMAKE_CURRENT_BINARY_DIR}/rule-scan.cc
+            ${CMAKE_CURRENT_BINARY_DIR}/scan.cc)
 add_dependencies(zeek_autogen_files zeek_bison_outputs)
 
-########################################################################
-## bifcl-dependent targets
+# ##############################################################################
+# bifcl-dependent targets
 
 include(BifCl)
 
@@ -131,34 +112,30 @@ set(BIF_SRCS
     strings.bif
     reporter.bif
     option.bif
-    # Note: the supervisor BIF file is treated like other top-level BIFs
-    # instead of contained in its own subdirectory CMake logic because
-    # subdirectory BIFs are treated differently and don't support being called
-    # *during* parsing (e.g. within an @if directive).
+    # Note: the supervisor BIF file is treated like other top-level BIFs instead
+    # of contained in its own subdirectory CMake logic because subdirectory BIFs
+    # are treated differently and don't support being called *during* parsing
+    # (e.g. within an @if directive).
     supervisor/supervisor.bif
-    # The packet analysis BIF is treated like other top-level BIFs because
-    # it's needed before parsing the packet protocol scripts, which happen
-    # very near to the start of parsing.
+    # The packet analysis BIF is treated like other top-level BIFs because it's
+    # needed before parsing the packet protocol scripts, which happen very near
+    # to the start of parsing.
     packet_analysis/packet_analysis.bif
-    # The C++ loading BIF is treated like other top-level BIFs to give
-    # us flexibility regarding when it's called.
-    script_opt/CPP/CPP-load.bif
-)
+    # The C++ loading BIF is treated like other top-level BIFs to give us
+    # flexibility regarding when it's called.
+    script_opt/CPP/CPP-load.bif)
 
 foreach (bift ${BIF_SRCS})
     bif_target(${bift} "standard")
 endforeach ()
 
-########################################################################
-## BinPAC-dependent targets
+# ##############################################################################
+# BinPAC-dependent targets
 
 include(BinPAC)
 
-set(BINPAC_AUXSRC
-    ${CMAKE_CURRENT_SOURCE_DIR}/binpac.pac
-    ${CMAKE_CURRENT_SOURCE_DIR}/zeek.pac
-    ${CMAKE_CURRENT_SOURCE_DIR}/binpac_zeek.h
-)
+set(BINPAC_AUXSRC ${CMAKE_CURRENT_SOURCE_DIR}/binpac.pac ${CMAKE_CURRENT_SOURCE_DIR}/zeek.pac
+                  ${CMAKE_CURRENT_SOURCE_DIR}/binpac_zeek.h)
 
 set(BINPAC_OUTPUTS "")
 
@@ -168,8 +145,8 @@ list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}")
 binpac_target(binpac_zeek-lib.pac)
 list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}")
 
-########################################################################
-## Gen-ZAM setup
+# ##############################################################################
+# Gen-ZAM setup
 
 include(Gen-ZAM)
 
@@ -177,9 +154,9 @@ set(GEN_ZAM_SRC ${CMAKE_CURRENT_SOURCE_DIR}/script_opt/ZAM/Ops.in)
 
 gen_zam_target(${GEN_ZAM_SRC})
 
-########################################################################
-## Including subdirectories.
-########################################################################
+# ##############################################################################
+# Including subdirectories.
+# ##############################################################################
 
 option(USE_SQLITE "Should Zeek use SQLite?" ON)
 
@@ -195,48 +172,67 @@ add_subdirectory(logging)
 add_subdirectory(probabilistic)
 add_subdirectory(session)
 
-########################################################################
-## Build in the discovered external plugins and create the autogenerated scripts.
+if (HAVE_SPICY)
+    add_subdirectory(spicy)
+endif ()
+
+# ##############################################################################
+# Build in the discovered external plugins and create the autogenerated scripts.
 
 set(PRELOAD_SCRIPT ${PROJECT_BINARY_DIR}/scripts/builtin-plugins/__preload__.zeek)
 file(WRITE ${PRELOAD_SCRIPT} "# Warning, this is an autogenerated file!\n")
 set(LOAD_SCRIPT ${PROJECT_BINARY_DIR}/scripts/builtin-plugins/__load__.zeek)
 file(WRITE ${LOAD_SCRIPT} "# Warning, this is an autogenerated file!\n")
 
-foreach (plugin_dir ${BUILTIN_PLUGIN_LIST})
-    get_filename_component(plugin_name ${plugin_dir} NAME)
+# TODO: this really should be a function to make sure we have an isolated scope.
+# However, for historic reasons, we're not doing that yet. Some plugin modify
+# global state such as `zeekdeps`.
+macro (add_extra_builtin_plugin plugin_dir)
+    get_filename_component(plugin_name "${plugin_dir}" NAME)
 
-    if(IS_DIRECTORY "${plugin_dir}/cmake")
-        set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${plugin_dir}/cmake")
-    endif()
+    if (IS_DIRECTORY "${plugin_dir}/cmake")
+        list(APPEND CMAKE_MODULE_PATH "${plugin_dir}/cmake")
+    endif ()
+
+    # Set this flag so that ZeekPluginStatic.cmake knows that this plugin is not
+    # from our source tree but from an external source (or git submodule). This
+    # will tell CMake to *not* define ZEEK_CONFIG_SKIP_VERSION_H for the plugin.
+    set(ZEEK_BUILDING_EXTRA_PLUGINS ON)
 
     add_subdirectory(${plugin_dir} ${CMAKE_CURRENT_BINARY_DIR}/builtin-plugins/${plugin_name})
-endforeach()
+
+    # TODO: drop once we turn this into a function.
+    set(ZEEK_BUILDING_EXTRA_PLUGINS OFF)
+endmacro ()
+
+foreach (plugin_dir ${BUILTIN_PLUGIN_LIST})
+    add_extra_builtin_plugin("${plugin_dir}")
+endforeach ()
 
 install(FILES ${PRELOAD_SCRIPT} DESTINATION ${ZEEK_SCRIPT_INSTALL_PATH}/builtin-plugins/)
 install(FILES ${LOAD_SCRIPT} DESTINATION ${ZEEK_SCRIPT_INSTALL_PATH}/builtin-plugins/)
 
-########################################################################
-## This has to happen after the parts for builtin plugins, or else
-## symbols are missing when it goes to link the fuzzer binaries.
+# ##############################################################################
+# This has to happen after the parts for builtin plugins, or else symbols are
+# missing when it goes to link the fuzzer binaries.
 add_subdirectory(fuzzers)
 
-########################################################################
-## zeek target
+# ##############################################################################
+# zeek target
 
-find_package (Threads)
+find_package(Threads)
 
 # Avoid CMake warning about "3rdparty" looking like a number.
 
 cmake_policy(PUSH)
 
 if (POLICY CMP0012)
-cmake_policy(SET CMP0012 NEW)
+    cmake_policy(SET CMP0012 NEW)
 endif ()
 
-# This macro stores associated headers for any C/C++ source files given
-# as arguments (past _var) as a list in the CMake variable named "_var".
-macro(COLLECT_HEADERS _var)
+# This macro stores associated headers for any C/C++ source files given as
+# arguments (past _var) as a list in the CMake variable named "_var".
+macro (COLLECT_HEADERS _var)
     foreach (src ${ARGN})
         get_filename_component(ext ${src} EXT)
         if ("${ext}" STREQUAL ".cc" OR "${ext}" STREQUAL ".c")
@@ -251,39 +247,34 @@ macro(COLLECT_HEADERS _var)
             endif ()
         endif ()
     endforeach ()
-endmacro(COLLECT_HEADERS _var)
+endmacro (COLLECT_HEADERS _var)
 
 cmake_policy(POP)
 
-# define a command that's used to run the make_dbg_constants.py script
-# building the zeek binary depends on the outputs of this script
-add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
-                          ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdInfoConstants.cc
-                   COMMAND ${PYTHON_EXECUTABLE}
-                   ARGS ${CMAKE_CURRENT_SOURCE_DIR}/make_dbg_constants.py
-                        ${CMAKE_CURRENT_SOURCE_DIR}/DebugCmdInfoConstants.in
-                   DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/make_dbg_constants.py
-                           ${CMAKE_CURRENT_SOURCE_DIR}/DebugCmdInfoConstants.in
-                   COMMENT "[Python] Processing debug commands"
-                   WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-)
+# define a command that's used to run the make_dbg_constants.py script building
+# the zeek binary depends on the outputs of this script
+add_custom_command(
+    OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
+           ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdInfoConstants.cc
+    COMMAND ${PYTHON_EXECUTABLE} ARGS ${CMAKE_CURRENT_SOURCE_DIR}/make_dbg_constants.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/DebugCmdInfoConstants.in
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/make_dbg_constants.py
+            ${CMAKE_CURRENT_SOURCE_DIR}/DebugCmdInfoConstants.in
+    COMMENT "[Python] Processing debug commands"
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
 
-add_custom_target(
-  zeek_debugcmd_gen
-  DEPENDS
-    ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
-    ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdInfoConstants.cc
-)
+add_custom_target(zeek_debugcmd_gen DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
+                                            ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdInfoConstants.cc)
 add_dependencies(zeek_autogen_files zeek_debugcmd_gen)
 
 set(_gen_zeek_script_cpp ${CMAKE_CURRENT_BINARY_DIR}/../CPP-gen.cc)
-add_custom_command(OUTPUT ${_gen_zeek_script_cpp}
-		   COMMAND ${CMAKE_COMMAND} -E touch ${_gen_zeek_script_cpp})
+add_custom_command(OUTPUT ${_gen_zeek_script_cpp} COMMAND ${CMAKE_COMMAND} -E touch
+                                                          ${_gen_zeek_script_cpp})
 
 if (!MSVC)
     set_source_files_properties(legacy-netvar-init.cc PROPERTIES COMPILE_FLAGS
-                                -Wno-deprecated-declarations)
-endif()
+                                                                 -Wno-deprecated-declarations)
+endif ()
 
 set(MAIN_SRCS
     digest.cc
@@ -371,9 +362,7 @@ set(MAIN_SRCS
     ZeekArgs.cc
     ZeekString.cc
     ZVal.cc
-
     ${SUPERVISOR_SRCS}
-
     threading/BasicThread.cc
     threading/Formatter.cc
     threading/Manager.cc
@@ -381,12 +370,10 @@ set(MAIN_SRCS
     threading/SerialTypes.cc
     threading/formatters/Ascii.cc
     threading/formatters/JSON.cc
-
     plugin/Component.cc
     plugin/ComponentManager.h
     plugin/Manager.cc
     plugin/Plugin.cc
-
     script_opt/CPP/Attrs.cc
     script_opt/CPP/Consts.cc
     script_opt/CPP/DeclFunc.cc
@@ -406,9 +393,7 @@ set(MAIN_SRCS
     script_opt/CPP/Types.cc
     script_opt/CPP/Util.cc
     script_opt/CPP/Vars.cc
-
     ${_gen_zeek_script_cpp}
-
     script_opt/Expr.cc
     script_opt/GenIDDefs.cc
     script_opt/IDOptInfo.cc
@@ -420,7 +405,6 @@ set(MAIN_SRCS
     script_opt/TempVar.cc
     script_opt/UsageAnalyzer.cc
     script_opt/UseDefs.cc
-
     script_opt/ZAM/AM-Opt.cc
     script_opt/ZAM/Branches.cc
     script_opt/ZAM/BuiltIn.cc
@@ -435,9 +419,7 @@ set(MAIN_SRCS
     script_opt/ZAM/ZBody.cc
     script_opt/ZAM/ZInst.cc
     script_opt/ZAM/ZOp.cc
-
-    digest.h
-)
+    digest.h)
 
 set(THIRD_PARTY_SRCS
     3rdparty/bro_inet_ntop.c # Remove in v6.1.
@@ -449,69 +431,58 @@ set(THIRD_PARTY_SRCS
     3rdparty/patricia.c
     3rdparty/setsignal.c
     $<$<BOOL:USE_SQLITE>:3rdparty/sqlite3.c>
-    3rdparty/strsep.c
-)
+    3rdparty/strsep.c)
 
-# Highwayhash. Highwayhash is a bit special since it has architecture dependent code...
+# Highwayhash. Highwayhash is a bit special since it has architecture dependent
+# code...
 set(hhash_dir ${PROJECT_SOURCE_DIR}/auxil/highwayhash/highwayhash)
 zeek_add_subdir_library(
     hhash
     SOURCES
-        ${hhash_dir}/sip_hash.cc
-        ${hhash_dir}/sip_tree_hash.cc
-        ${hhash_dir}/scalar_sip_tree_hash.cc
-        ${hhash_dir}/arch_specific.cc
-        ${hhash_dir}/instruction_sets.cc
-        ${hhash_dir}/nanobenchmark.cc
-        ${hhash_dir}/os_specific.cc
-        ${hhash_dir}/hh_portable.cc
-)
+    ${hhash_dir}/sip_hash.cc
+    ${hhash_dir}/sip_tree_hash.cc
+    ${hhash_dir}/scalar_sip_tree_hash.cc
+    ${hhash_dir}/arch_specific.cc
+    ${hhash_dir}/instruction_sets.cc
+    ${hhash_dir}/nanobenchmark.cc
+    ${hhash_dir}/os_specific.cc
+    ${hhash_dir}/hh_portable.cc)
 
 if (${COMPILER_ARCHITECTURE} STREQUAL "arm")
-  check_c_source_compiles("
+    check_c_source_compiles(
+        "
       #if defined(__ARM_NEON__) || defined(__ARM_NEON)
       int main() { return 0; }
       #else
       #error
       #endif
-  " test_arm_neon)
+  "
+        test_arm_neon)
 
-  if (test_arm_neon)
-    target_sources(zeek_hhash_obj PRIVATE ${hhash_dir}/hh_neon.cc)
-  endif ()
+    if (test_arm_neon)
+        target_sources(zeek_hhash_obj PRIVATE ${hhash_dir}/hh_neon.cc)
+    endif ()
 
-  target_compile_options(
-    zeek_hhash_obj
-    PRIVATE
-      -mfloat-abi=hard
-      -march=armv7-a
-      -mfpu=neon
-  )
+    target_compile_options(zeek_hhash_obj PRIVATE -mfloat-abi=hard -march=armv7-a -mfpu=neon)
 elseif (${COMPILER_ARCHITECTURE} STREQUAL "aarch64")
-  target_sources(zeek_hhash_obj PRIVATE ${hhash_dir}/hh_neon.cc)
+    target_sources(zeek_hhash_obj PRIVATE ${hhash_dir}/hh_neon.cc)
 elseif (${COMPILER_ARCHITECTURE} STREQUAL "power")
-  target_sources(zeek_hhash_obj PRIVATE ${hhash_dir}/hh_vsx.cc)
-  set_source_files_properties(${hhash_dir}/hh_vsx.cc PROPERTIES COMPILE_FLAGS
-                              -mvsx)
-elseif(${COMPILER_ARCHITECTURE} STREQUAL "x86_64")
-  target_sources(
-    zeek_hhash_obj
-    PRIVATE
-      ${hhash_dir}/hh_avx2.cc
-      ${hhash_dir}/hh_sse41.cc)
-  if (MSVC)
-    set(_avx_flag /arch:AVX2)
-    # Using an undocumentd compiler flag: https://stackoverflow.com/questions/64053597/how-do-i-enable-sse4-1-and-sse3-but-not-avx-in-msvc/69328426#69328426
-    set(_sse_flag /d2archSSE42)
-  else()
-    set(_avx_flag -mavx2)
-    set(_sse_flag -msse4.1)
-  endif()
+    target_sources(zeek_hhash_obj PRIVATE ${hhash_dir}/hh_vsx.cc)
+    set_source_files_properties(${hhash_dir}/hh_vsx.cc PROPERTIES COMPILE_FLAGS -mvsx)
+elseif (${COMPILER_ARCHITECTURE} STREQUAL "x86_64")
+    target_sources(zeek_hhash_obj PRIVATE ${hhash_dir}/hh_avx2.cc ${hhash_dir}/hh_sse41.cc)
+    if (MSVC)
+        set(_avx_flag /arch:AVX2)
+        # Using an undocumentd compiler flag:
+        # https://stackoverflow.com/questions/64053597/how-do-i-enable-sse4-1-and-sse3-but-not-avx-in-msvc/69328426#69328426
+        set(_sse_flag /d2archSSE42)
+    else ()
+        set(_avx_flag -mavx2)
+        set(_sse_flag -msse4.1)
+    endif ()
 
-  set_source_files_properties(${hhash_dir}/hh_avx2.cc PROPERTIES COMPILE_FLAGS
-                              ${_avx_flag})
-  set_source_files_properties(${hhash_dir}/hh_sse41.cc PROPERTIES COMPILE_FLAGS
-                              ${_sse_flag})
+    set_source_files_properties(${hhash_dir}/hh_avx2.cc PROPERTIES COMPILE_FLAGS ${_avx_flag})
+    set_source_files_properties(${hhash_dir}/hh_sse41.cc PROPERTIES COMPILE_FLAGS ${_sse_flag})
 endif ()
 
 set(zeek_SRCS
@@ -535,49 +506,49 @@ set(zeek_SRCS
     ${CMAKE_CURRENT_BINARY_DIR}/ZAM-MethodDecls.h
     ${THIRD_PARTY_SRCS}
     ${HH_SRCS}
-    ${MAIN_SRCS}
-)
+    ${MAIN_SRCS})
 
 collect_headers(zeek_HEADERS ${zeek_SRCS})
 
 add_library(zeek_objs OBJECT ${zeek_SRCS})
 target_link_libraries(zeek_objs PRIVATE $<BUILD_INTERFACE:zeek_internal>)
+target_compile_definitions(zeek_objs PRIVATE ZEEK_CONFIG_SKIP_VERSION_H)
 add_dependencies(zeek_objs zeek_autogen_files)
 add_clang_tidy_files(${zeek_SRCS})
 zeek_target_link_libraries(zeek_objs)
 
+if (HAVE_SPICY)
+    target_link_libraries(zeek_objs PRIVATE hilti spicy)
+endif ()
+
 if (TARGET zeek_exe)
     target_sources(zeek_exe PRIVATE main.cc ${zeek_HEADERS})
 
-    # npcap/winpcap need to be loaded in delayed mode so that we can set the load path
-    # correctly at runtime. See https://npcap.com/guide/npcap-devguide.html#npcap-feature-native
-    # for why this is necessary.
-    if ( MSVC AND HAVE_WPCAP )
+    # npcap/winpcap need to be loaded in delayed mode so that we can set the load
+    # path correctly at runtime. See
+    # https://npcap.com/guide/npcap-devguide.html#npcap-feature-native for why
+    # this is necessary.
+    if (MSVC AND HAVE_WPCAP)
         set(zeekdeps ${zeekdeps} delayimp.lib)
         set_target_properties(zeek_exe PROPERTIES LINK_FLAGS "/DELAYLOAD:wpcap.dll")
-    endif()
+    endif ()
 
     target_link_libraries(zeek_exe PRIVATE ${zeekdeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
 
     # Export symbols from zeek executable for use by plugins
     set_target_properties(zeek_exe PROPERTIES ENABLE_EXPORTS TRUE)
 
-    if ( MSVC )
+    if (MSVC)
         set(WINDOWS_EXPORT_ALL_SYMBOLS ON)
     endif ()
 
-endif()
+endif ()
 
 if (TARGET zeek_lib)
     target_sources(zeek_lib PRIVATE ${zeek_HEADERS})
 
-    target_link_libraries(
-        zeek_lib
-        PUBLIC
-            ${zeekdeps}
-            ${CMAKE_THREAD_LIBS_INIT}
-            ${CMAKE_DL_LIBS})
-endif()
+    target_link_libraries(zeek_lib PUBLIC ${zeekdeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
+endif ()
 
 zeek_include_directories(
     ${CMAKE_BINARY_DIR}
@@ -586,21 +557,23 @@ zeek_include_directories(
     ${CMAKE_CURRENT_BINARY_DIR}
     ${CMAKE_CURRENT_SOURCE_DIR}/include
     ${CMAKE_SOURCE_DIR}/zeek/src
-    ${CMAKE_SOURCE_DIR}/zeek/src/include
-)
+    ${CMAKE_SOURCE_DIR}/zeek/src/include)
 
 # Install *.bif.zeek.
-install(DIRECTORY ${PROJECT_BINARY_DIR}/scripts/base/bif DESTINATION ${ZEEK_SCRIPT_INSTALL_PATH}/base)
+install(DIRECTORY ${PROJECT_BINARY_DIR}/scripts/base/bif
+        DESTINATION ${ZEEK_SCRIPT_INSTALL_PATH}/base)
 
 # Create plugin directory at install time.
 install(DIRECTORY DESTINATION ${ZEEK_PLUGIN_DIR})
 
 # Make clean removes the bif directory.
-set_directory_properties(PROPERTIES ADDITIONAL_MAKE_CLEAN_FILES ${PROJECT_BINARY_DIR}/scripts/base/bif)
+set_directory_properties(PROPERTIES ADDITIONAL_MAKE_CLEAN_FILES
+                                    ${PROJECT_BINARY_DIR}/scripts/base/bif)
 
-# Remove some stale files and scripts that previous Zeek versions put in
-# place, yet make confuse us now. This makes upgrading easier.
-install(CODE "
+# Remove some stale files and scripts that previous Zeek versions put in place,
+# yet make confuse us now. This makes upgrading easier.
+install(
+    CODE "
    file(REMOVE_RECURSE
        ${ZEEK_SCRIPT_INSTALL_PATH}/base/frameworks/logging/writers/dataseries.bro
        ${ZEEK_SCRIPT_INSTALL_PATH}/base/frameworks/logging/writers/elasticsearch.bro
@@ -608,60 +581,59 @@ install(CODE "
    )
 ")
 
-# Make sure to escape a bunch of special characters in the path before trying to use it as a
-# regular expression below.
-string(REGEX REPLACE "([][+.*()^])" "\\\\\\1" escaped_include_path "${CMAKE_CURRENT_SOURCE_DIR}/include/*")
+# Make sure to escape a bunch of special characters in the path before trying to
+# use it as a regular expression below.
+string(REGEX REPLACE "([][+.*()^])" "\\\\\\1" escaped_include_path
+                     "${CMAKE_CURRENT_SOURCE_DIR}/include/*")
 
 if (WIN32)
-    install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/windows/usr.include/
-            DESTINATION include/
-            FILES_MATCHING
-            PATTERN "*.h"
-    )
-endif()
-
-install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/
-        DESTINATION include/zeek
+    install(
+        DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/windows/usr.include/
+        DESTINATION include/
         FILES_MATCHING
-        PATTERN "*.h"
-        PATTERN "*.pac"
-        PATTERN "3rdparty/*" EXCLUDE
-        # The "zeek -> ." symlink isn't needed in the install-tree
-        REGEX "${escaped_include_path}$" EXCLUDE
+        PATTERN "*.h")
+endif ()
 
-	# FILES_MATCHING creates empty directories:
-	# https://gitlab.kitware.com/cmake/cmake/-/issues/17122
-	# Exclude the ones that this affects explicitly.
-	PATTERN "script_opt/CPP/maint" EXCLUDE
-	PATTERN "fuzzers/corpora" EXCLUDE
-)
+install(
+    DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/
+    DESTINATION include/zeek
+    FILES_MATCHING
+    PATTERN "*.h"
+    PATTERN "*.pac"
+    PATTERN "3rdparty/*" EXCLUDE
+    # The "zeek -> ." symlink isn't needed in the install-tree
+    REGEX "${escaped_include_path}$" EXCLUDE
+    # FILES_MATCHING creates empty directories:
+    # https://gitlab.kitware.com/cmake/cmake/-/issues/17122 Exclude the ones that
+    # this affects explicitly.
+    PATTERN "script_opt/CPP/maint" EXCLUDE
+    PATTERN "fuzzers/corpora" EXCLUDE)
 
-install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
-        DESTINATION include/zeek
-        FILES_MATCHING
-        PATTERN "*.bif.func_h"
-        PATTERN "*.bif.netvar_h"
-        PATTERN "*.bif.h"
-        PATTERN "CMakeFiles" EXCLUDE
-        # The "include/zeek -> .." symlink isn't needed in the install-tree
-        REGEX "${escaped_include_path}$" EXCLUDE
-)
+install(
+    DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
+    DESTINATION include/zeek
+    FILES_MATCHING
+    PATTERN "*.bif.func_h"
+    PATTERN "*.bif.netvar_h"
+    PATTERN "*.bif.h"
+    PATTERN "CMakeFiles" EXCLUDE
+    # The "include/zeek -> .." symlink isn't needed in the install-tree
+    REGEX "${escaped_include_path}$" EXCLUDE)
 
-install(FILES
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/ConvertUTF.h
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/bro_inet_ntop.h # Remove in v6.1
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/zeek_inet_ntop.h
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/bsd-getopt-long.h
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/modp_numtoa.h
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/patricia.h
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/setsignal.h
-        $<$<BOOL:USE_SQLITE>:${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sqlite3.h>
-        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/doctest.h
-        DESTINATION include/zeek/3rdparty
-)
+install(
+    FILES ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/ConvertUTF.h
+          ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/bro_inet_ntop.h # Remove in v6.1
+          ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/zeek_inet_ntop.h
+          ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/bsd-getopt-long.h
+          ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/modp_numtoa.h
+          ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/patricia.h
+          ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/setsignal.h
+          $<$<BOOL:USE_SQLITE>:${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sqlite3.h>
+          ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/doctest.h
+    DESTINATION include/zeek/3rdparty)
 
-########################################################################
-## Clang-tidy target now that we have all of the sources
+# ##############################################################################
+# Clang-tidy target now that we have all of the sources
 
 add_clang_tidy_files(${MAIN_SRCS})
 
@@ -670,23 +642,22 @@ add_clang_tidy_files(${MAIN_SRCS})
 # *.bif.register.cc)
 create_clang_tidy_target()
 
-########################################################################
-## CTest setup.
+# ##############################################################################
+# CTest setup.
 
 # Scan all .cc files for TEST_CASE macros and generate CTest targets.
 if (ENABLE_ZEEK_UNIT_TESTS)
     set(test_cases "")
     foreach (cc_file ${TIDY_SRCS})
-        file (STRINGS ${cc_file} test_case_lines REGEX "TEST_CASE")
+        file(STRINGS ${cc_file} test_case_lines REGEX "TEST_CASE")
         foreach (line ${test_case_lines})
             string(REGEX REPLACE "TEST_CASE\\(\"(.+)\"\\)" "\\1" test_case "${line}")
             list(APPEND test_cases "${test_case}")
         endforeach ()
     endforeach ()
     list(LENGTH test_cases num_test_cases)
-    MESSAGE(STATUS "-- Found ${num_test_cases} test cases for CTest")
+    message(STATUS "-- Found ${num_test_cases} test cases for CTest")
     foreach (test_case ${test_cases})
-        add_test(NAME "\"${test_case}\""
-                 COMMAND zeek --test "--test-case=${test_case}")
+        add_test(NAME "\"${test_case}\"" COMMAND zeek --test "--test-case=${test_case}")
     endforeach ()
 endif ()
diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 4ff950c377..4ce647157b 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -22,8 +22,7 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
 	{"logging", 0, false},         {"input", 0, false},         {"threading", 0, false},
 	{"plugins", 0, false},         {"zeekygen", 0, false},      {"pktio", 0, false},
 	{"broker", 0, false},          {"scripts", 0, false},       {"supervisor", 0, false},
-	{"hashkey", 0, false},
-};
+	{"hashkey", 0, false},         {"spicy", 0, false}};
 
 DebugLogger::DebugLogger()
 	{
@@ -56,7 +55,7 @@ void DebugLogger::OpenDebugLog(const char* filename)
 				}
 			}
 
-		setvbuf(file, NULL, _IOLBF, 0);
+		util::detail::setvbuf(file, NULL, _IOLBF, 0);
 		}
 	else
 		file = stderr;
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index e8be0a71e2..041e18e407 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -57,6 +57,7 @@ enum DebugStream
 	DBG_SCRIPTS, // Script initialization
 	DBG_SUPERVISOR, // Process supervisor
 	DBG_HASHKEY, // HashKey buffers
+	DBG_SPICY, // Spicy functionality
 
 	NUM_DBGS // Has to be last
 	};
diff --git a/src/Event.cc b/src/Event.cc
index 065cee5839..de26955d56 100644
--- a/src/Event.cc
+++ b/src/Event.cc
@@ -7,7 +7,6 @@
 #include "zeek/Desc.h"
 #include "zeek/Func.h"
 #include "zeek/NetVar.h"
-#include "zeek/RunState.h"
 #include "zeek/Trigger.h"
 #include "zeek/Val.h"
 #include "zeek/iosource/Manager.h"
@@ -19,10 +18,10 @@ zeek::EventMgr zeek::event_mgr;
 namespace zeek
 	{
 
-Event::Event(EventHandlerPtr arg_handler, zeek::Args arg_args, util::detail::SourceID arg_src,
-             analyzer::ID arg_aid, Obj* arg_obj)
-	: handler(arg_handler), args(std::move(arg_args)), src(arg_src), aid(arg_aid), obj(arg_obj),
-	  next_event(nullptr)
+Event::Event(const EventHandlerPtr& arg_handler, zeek::Args arg_args,
+             util::detail::SourceID arg_src, analyzer::ID arg_aid, Obj* arg_obj, double arg_ts)
+	: handler(arg_handler), args(std::move(arg_args)), src(arg_src), aid(arg_aid), ts(arg_ts),
+	  obj(arg_obj), next_event(nullptr)
 	{
 	if ( obj )
 		Ref(obj);
@@ -53,7 +52,7 @@ void Event::Dispatch(bool no_remote)
 
 	try
 		{
-		handler->Call(&args, no_remote);
+		handler->Call(&args, no_remote, ts);
 		}
 
 	catch ( InterpreterException& e )
@@ -74,6 +73,7 @@ EventMgr::EventMgr()
 	head = tail = nullptr;
 	current_src = util::detail::SOURCE_LOCAL;
 	current_aid = 0;
+	current_ts = 0;
 	src_val = nullptr;
 	draining = false;
 	}
@@ -91,9 +91,9 @@ EventMgr::~EventMgr()
 	}
 
 void EventMgr::Enqueue(const EventHandlerPtr& h, Args vl, util::detail::SourceID src,
-                       analyzer::ID aid, Obj* obj)
+                       analyzer::ID aid, Obj* obj, double ts)
 	{
-	QueueEvent(new Event(h, std::move(vl), src, aid, obj));
+	QueueEvent(new Event(h, std::move(vl), src, aid, obj, ts));
 	}
 
 void EventMgr::QueueEvent(Event* event)
@@ -120,6 +120,8 @@ void EventMgr::QueueEvent(Event* event)
 void EventMgr::Dispatch(Event* event, bool no_remote)
 	{
 	current_src = event->Source();
+	current_aid = event->Analyzer();
+	current_ts = event->Time();
 	event->Dispatch(no_remote);
 	Unref(event);
 	}
@@ -154,6 +156,7 @@ void EventMgr::Drain()
 
 			current_src = current->Source();
 			current_aid = current->Analyzer();
+			current_ts = current->Time();
 			current->Dispatch();
 			Unref(current);
 
diff --git a/src/Event.h b/src/Event.h
index dc3e931bd8..b746635007 100644
--- a/src/Event.h
+++ b/src/Event.h
@@ -15,14 +15,19 @@
 namespace zeek
 	{
 
+namespace run_state
+	{
+extern double network_time;
+	} // namespace run_state
+
 class EventMgr;
 
 class Event final : public Obj
 	{
 public:
-	Event(EventHandlerPtr handler, zeek::Args args,
+	Event(const EventHandlerPtr& handler, zeek::Args args,
 	      util::detail::SourceID src = util::detail::SOURCE_LOCAL, analyzer::ID aid = 0,
-	      Obj* obj = nullptr);
+	      Obj* obj = nullptr, double ts = run_state::network_time);
 
 	void SetNext(Event* n) { next_event = n; }
 	Event* NextEvent() const { return next_event; }
@@ -31,6 +36,7 @@ public:
 	analyzer::ID Analyzer() const { return aid; }
 	EventHandlerPtr Handler() const { return handler; }
 	const zeek::Args& Args() const { return args; }
+	double Time() const { return ts; }
 
 	void Describe(ODesc* d) const override;
 
@@ -45,6 +51,7 @@ protected:
 	zeek::Args args;
 	util::detail::SourceID src;
 	analyzer::ID aid;
+	double ts;
 	Obj* obj;
 	Event* next_event;
 	};
@@ -66,10 +73,12 @@ public:
 	 * @param aid  identifies the protocol analyzer generating the event.
 	 * @param obj  an arbitrary object to use as a "cookie" or just hold a
 	 * reference to until dispatching the event.
+	 * @param ts  timestamp at which the event is intended to be executed
+	 * (defaults to current network time).
 	 */
 	void Enqueue(const EventHandlerPtr& h, zeek::Args vl,
 	             util::detail::SourceID src = util::detail::SOURCE_LOCAL, analyzer::ID aid = 0,
-	             Obj* obj = nullptr);
+	             Obj* obj = nullptr, double ts = run_state::network_time);
 
 	/**
 	 * A version of Enqueue() taking a variable number of arguments.
@@ -95,6 +104,11 @@ public:
 	// non-analyzer event.
 	analyzer::ID CurrentAnalyzer() const { return current_aid; }
 
+	// Returns the timestamp of the last raised event. The timestamp reflects the network time
+	// the event was intended to be executed. For scheduled events, this is the time the event
+	// was scheduled to. For any other event, this is the time when the event was created.
+	double CurrentEventTime() const { return current_ts; }
+
 	int Size() const { return num_events_queued - num_events_dispatched; }
 
 	void Describe(ODesc* d) const override;
@@ -114,6 +128,7 @@ protected:
 	Event* tail;
 	util::detail::SourceID current_src;
 	analyzer::ID current_aid;
+	double current_ts;
 	RecordVal* src_val;
 	bool draining;
 	detail::Flare queue_flare;
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index e15234d750..79f12d32cb 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -52,7 +52,7 @@ void EventHandler::SetFunc(FuncPtr f)
 	local = std::move(f);
 	}
 
-void EventHandler::Call(Args* vl, bool no_remote)
+void EventHandler::Call(Args* vl, bool no_remote, double ts)
 	{
 	if ( ! call_count )
 		{
@@ -100,10 +100,10 @@ void EventHandler::Call(Args* vl, bool no_remote)
 					++it;
 
 					if ( it != auto_publish.end() )
-						broker_mgr->PublishEvent(topic, Name(), xs);
+						broker_mgr->PublishEvent(topic, Name(), xs, ts);
 					else
 						{
-						broker_mgr->PublishEvent(topic, Name(), std::move(xs));
+						broker_mgr->PublishEvent(topic, Name(), std::move(xs), ts);
 						break;
 						}
 					}
diff --git a/src/EventHandler.h b/src/EventHandler.h
index 258682adfc..89d5d705fc 100644
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@@ -14,6 +14,11 @@
 namespace zeek
 	{
 
+namespace run_state
+	{
+extern double network_time;
+	} // namespace run_state
+
 class Func;
 using FuncPtr = IntrusivePtr<Func>;
 
@@ -34,7 +39,7 @@ public:
 
 	void AutoUnpublish(const std::string& topic) { auto_publish.erase(topic); }
 
-	void Call(zeek::Args* vl, bool no_remote = false);
+	void Call(zeek::Args* vl, bool no_remote = false, double ts = run_state::network_time);
 
 	// Returns true if there is at least one local or remote handler.
 	explicit operator bool() const;
diff --git a/src/EventTrace.cc b/src/EventTrace.cc
index 3ca3f66941..ff52f079da 100644
--- a/src/EventTrace.cc
+++ b/src/EventTrace.cc
@@ -213,12 +213,16 @@ void ValTrace::ComputeDelta(const ValTrace* prev, DeltaVector& deltas) const
 			// use the constant representation instead.
 			break;
 
+		case TYPE_ANY:
 		case TYPE_FILE:
 		case TYPE_OPAQUE:
-		case TYPE_ANY:
-			// These we have no way of creating as constants.
-			reporter->Error("cannot generate an event trace for an event of type %s",
-			                type_name(tag));
+			// If we have a previous instance, we can ignore this
+			// one, because we know it's equivalent (due to the
+			// test at the beginning of this method), and it's
+			// not meaningful to recurse inside it looking for
+			// interior changes.
+			if ( ! prev )
+				deltas.emplace_back(std::make_unique<DeltaUnsupportedCreate>(this));
 			break;
 
 		case TYPE_LIST:
@@ -241,6 +245,13 @@ void ValTrace::ComputeDelta(const ValTrace* prev, DeltaVector& deltas) const
 			if ( prev )
 				ComputeTableDelta(prev, deltas);
 
+			else if ( GetType()->AsTableType()->IsUnspecifiedTable() )
+				// For unspecified values, we generate them
+				// as empty constructors, because we don't
+				// know their yield type and thus can't
+				// create variables corresponding to them.
+				break;
+
 			else if ( t->Yield() )
 				deltas.emplace_back(std::make_unique<DeltaTableCreate>(this));
 			else
@@ -250,6 +261,11 @@ void ValTrace::ComputeDelta(const ValTrace* prev, DeltaVector& deltas) const
 		case TYPE_VECTOR:
 			if ( prev )
 				ComputeVectorDelta(prev, deltas);
+
+			else if ( GetType()->AsVectorType()->IsUnspecifiedVector() )
+				// See above for empty tables/sets.
+				break;
+
 			else
 				deltas.emplace_back(std::make_unique<DeltaVectorCreate>(this));
 			break;
@@ -722,6 +738,11 @@ std::string DeltaVectorCreate::Generate(ValTraceMgr* vtm) const
 	return std::string(" = vector(") + vec + ")";
 	}
 
+std::string DeltaUnsupportedCreate::Generate(ValTraceMgr* vtm) const
+	{
+	return " = UNSUPPORTED " + obj_desc_short(vt->GetVal()->GetType().get());
+	}
+
 EventTrace::EventTrace(const ScriptFunc* _ev, double _nt, size_t event_num) : ev(_ev), nt(_nt)
 	{
 	auto ev_name = std::regex_replace(ev->Name(), std::regex(":"), "_");
@@ -770,13 +791,19 @@ void EventTrace::Generate(FILE* f, ValTraceMgr& vtm, const DeltaGenVec& dvec, st
 		fprintf(f, "\t");
 
 		auto& val = d.GetVal();
+		bool define_local = d.IsFirstDef() && ! vtm.IsGlobal(val);
 
-		if ( d.IsFirstDef() && ! vtm.IsGlobal(val) )
+		if ( define_local )
 			fprintf(f, "local ");
 
 		if ( d.NeedsLHS() )
+			{
 			fprintf(f, "%s", vtm.ValName(val).c_str());
 
+			if ( define_local )
+				fprintf(f, ": %s", obj_desc_short(val->GetType().get()).c_str());
+			}
+
 		auto anno = offset < num_pre ? " # from script" : "";
 
 		fprintf(f, "%s;%s\n", d.RHS().c_str(), anno);
@@ -798,7 +825,8 @@ void EventTrace::Generate(FILE* f, ValTraceMgr& vtm, const DeltaGenVec& dvec, st
 		}
 	else
 		{
-		fprintf(f, "\tset_network_time(double_to_time(%.06f));\n", nt);
+		auto tm = vtm.TimeConstant(nt);
+		fprintf(f, "\tset_network_time(%s);\n", tm.c_str());
 		fprintf(f, "\tevent __EventTrace::%s();\n", successor.c_str());
 		}
 
@@ -870,66 +898,28 @@ const std::string& ValTraceMgr::ValName(const ValPtr& v)
 	{
 	auto find = val_names.find(v.get());
 	if ( find == val_names.end() )
-		{
-		if ( IsAggr(v->GetType()) )
-			{ // Aggregate shouldn't exist; create it
-			ASSERT(val_map.count(v.get()) == 0);
-			NewVal(v);
-			find = val_names.find(v.get());
-			}
-
-		else
-			{ // Non-aggregate can be expressed using a constant
-			auto tag = v->GetType()->Tag();
-			std::string rep;
-
-			if ( tag == TYPE_STRING )
-				{
-				auto s = v->AsStringVal();
-				rep = escape_string(s->Bytes(), s->Len());
-				}
-
-			else if ( tag == TYPE_LIST )
-				{
-				auto lv = cast_intrusive<ListVal>(v);
-				for ( auto& v_i : lv->Vals() )
-					{
-					if ( ! rep.empty() )
-						rep += ", ";
-
-					rep += ValName(v_i);
-					}
-				}
-
-			else if ( tag == TYPE_FUNC )
-				rep = v->AsFunc()->Name();
-
-			else if ( tag == TYPE_TIME )
-				rep = std::string("double_to_time(") + std::to_string(v->AsDouble()) + ")";
-
-			else if ( tag == TYPE_INTERVAL )
-				rep = std::string("double_to_interval(") + std::to_string(v->AsDouble()) + ")";
-
-			else
-				{
-				ODesc d;
-				v->Describe(&d);
-				rep = d.Description();
-				}
-
-			val_names[v.get()] = rep;
-			vals.push_back(v);
-			find = val_names.find(v.get());
-			}
-
-		ASSERT(find != val_names.end());
-		}
+		find = val_names.insert({v.get(), GenValName(v)}).first;
 
 	ValUsed(v);
 
 	return find->second;
 	}
 
+std::string ValTraceMgr::TimeConstant(double t)
+	{
+	if ( t < std::max(base_time, 1e6) )
+		return "double_to_time(" + std::to_string(t) + ")";
+
+	if ( ! base_time )
+		base_time = t;
+
+	if ( t == base_time )
+		return "double_to_time(__base_time)";
+
+	t -= base_time;
+	return "double_to_time(__base_time + " + std::to_string(t) + ")";
+	}
+
 void ValTraceMgr::AddVal(ValPtr v)
 	{
 	auto mapping = val_map.find(v.get());
@@ -1003,16 +993,143 @@ void ValTraceMgr::AssessChange(const ValTrace* vt, const ValTrace* prev_vt)
 		}
 
 	auto& v = vt->GetVal();
-	if ( IsAggr(v->GetType()) )
+	if ( IsAggr(v->GetType()) && (prev_vt || ! IsUnspecifiedAggregate(v)) )
 		ValUsed(vt->GetVal());
 	}
 
 void ValTraceMgr::TrackVar(const Val* v)
 	{
-	auto val_name = std::string("__val") + std::to_string(num_vars++);
+	std::string base_name = IsUnsupported(v) ? "UNSUPPORTED" : "val";
+	auto val_name = "__" + base_name + std::to_string(num_vars++);
 	val_names[v] = val_name;
 	}
 
+std::string ValTraceMgr::GenValName(const ValPtr& v)
+	{
+	if ( IsAggr(v->GetType()) && ! IsUnspecifiedAggregate(v) )
+		{ // Aggregate shouldn't exist; create it
+		ASSERT(val_map.count(v.get()) == 0);
+		NewVal(v);
+		return val_names[v.get()];
+		}
+
+	// Non-aggregate (or unspecified aggregate) can be expressed using
+	// a constant.
+	auto t = v->GetType();
+	auto tag = t->Tag();
+	std::string rep;
+	bool track_constant = false;
+
+	switch ( tag )
+		{
+		case TYPE_STRING:
+			{
+			auto s = v->AsStringVal();
+			rep = escape_string(s->Bytes(), s->Len());
+			track_constant = s->Len() > 0;
+			break;
+			}
+
+		case TYPE_LIST:
+			{
+			auto lv = cast_intrusive<ListVal>(v);
+			for ( auto& v_i : lv->Vals() )
+				{
+				if ( ! rep.empty() )
+					rep += ", ";
+
+				rep += ValName(v_i);
+				}
+			break;
+			}
+
+		case TYPE_FUNC:
+			rep = v->AsFunc()->Name();
+			break;
+
+		case TYPE_TIME:
+			{
+			auto tm = v->AsDouble();
+			rep = TimeConstant(tm);
+
+			if ( tm > 0.0 && rep.find("__base_time") == std::string::npos )
+				// We're not representing it using base_time.
+				track_constant = true;
+
+			break;
+			}
+
+		case TYPE_INTERVAL:
+			rep = "double_to_interval(" + std::to_string(v->AsDouble()) + ")";
+			break;
+
+		case TYPE_TABLE:
+			rep = t->Yield() ? "table()" : "set()";
+			break;
+
+		case TYPE_VECTOR:
+			rep = "vector()";
+			break;
+
+		case TYPE_PATTERN:
+		case TYPE_PORT:
+		case TYPE_ADDR:
+		case TYPE_SUBNET:
+			{
+			ODesc d;
+			v->Describe(&d);
+			rep = d.Description();
+			track_constant = true;
+
+			if ( tag == TYPE_ADDR || tag == TYPE_SUBNET )
+				{
+				// Fix up deficiency that IPv6 addresses are
+				// described without surrounding []'s.
+				const auto& addr = tag == TYPE_ADDR ? v->AsAddr() : v->AsSubNet().Prefix();
+				if ( addr.GetFamily() == IPv6 )
+					rep = "[" + rep + "]";
+				}
+			}
+			break;
+
+		default:
+			{
+			ODesc d;
+			v->Describe(&d);
+			rep = d.Description();
+			}
+		}
+
+	val_names[v.get()] = rep;
+	vals.push_back(v);
+
+	if ( track_constant )
+		constants[tag].insert(rep);
+
+	std::array<std::string, NUM_TYPES> constants;
+
+	return rep;
+	}
+
+bool ValTraceMgr::IsUnspecifiedAggregate(const ValPtr& v) const
+	{
+	auto t = v->GetType()->Tag();
+
+	if ( t == TYPE_TABLE && v->GetType<TableType>()->IsUnspecifiedTable() )
+		return true;
+
+	if ( t == TYPE_VECTOR && v->GetType<VectorType>()->IsUnspecifiedVector() )
+		return true;
+
+	return false;
+	}
+
+bool ValTraceMgr::IsUnsupported(const Val* v) const
+	{
+	auto t = v->GetType()->Tag();
+	return t == TYPE_ANY || t == TYPE_FILE || t == TYPE_OPAQUE;
+	}
+
 EventTraceMgr::EventTraceMgr(const std::string& trace_file)
 	{
 	f = fopen(trace_file.c_str(), "w");
@@ -1027,6 +1144,11 @@ EventTraceMgr::~EventTraceMgr()
 
 	fprintf(f, "module __EventTrace;\n\n");
 
+	auto bt = vtm.GetBaseTime();
+
+	if ( bt )
+		fprintf(f, "global __base_time = %.06f;\n\n", bt);
+
 	for ( auto& e : events )
 		fprintf(f, "global %s: event();\n", e->GetName());
 
@@ -1044,6 +1166,22 @@ EventTraceMgr::~EventTraceMgr()
 		events[i]->Generate(f, vtm, predecessor.get(), successor);
 		}
 
+	const auto& constants = vtm.GetConstants();
+
+	for ( auto tag = 0; tag < NUM_TYPES; ++tag )
+		{
+		auto& c_t = constants[tag];
+		if ( c_t.empty() && (tag != TYPE_TIME || ! bt) )
+			continue;
+
+		fprintf(f, "\n# constants of type %s:\n", type_name(TypeTag(tag)));
+		if ( tag == TYPE_TIME && bt )
+			fprintf(f, "#\t__base_time = %.06f\n", bt);
+
+		for ( auto& c : c_t )
+			fprintf(f, "#\t%s\n", c.c_str());
+		}
+
 	fclose(f);
 	}
 
@@ -1053,9 +1191,12 @@ void EventTraceMgr::StartEvent(const ScriptFunc* ev, const zeek::Args* args)
 		return;
 
 	auto nt = run_state::network_time;
-	if ( nt == 0.0 )
+	if ( nt == 0.0 || util::streq(ev->Name(), "zeek_init") )
 		return;
 
+	if ( ! vtm.GetBaseTime() )
+		vtm.SetBaseTime(nt);
+
 	auto et = std::make_shared<EventTrace>(ev, nt, events.size());
 	events.emplace_back(et);
 
@@ -1067,7 +1208,7 @@ void EventTraceMgr::EndEvent(const ScriptFunc* ev, const zeek::Args* args)
 	if ( script_events.count(ev->Name()) > 0 )
 		return;
 
-	if ( run_state::network_time > 0.0 )
+	if ( run_state::network_time > 0.0 && ! util::streq(ev->Name(), "zeek_init") )
 		vtm.FinishCurrentEvent(args);
 	}
 
diff --git a/src/EventTrace.h b/src/EventTrace.h
index 9a0b95e5be..d958cd058d 100644
--- a/src/EventTrace.h
+++ b/src/EventTrace.h
@@ -264,8 +264,16 @@ public:
 	DeltaVectorCreate(const ValTrace* _vt) : ValDelta(_vt) { }
 
 	std::string Generate(ValTraceMgr* vtm) const override;
+	};
 
-private:
+// Captures the notion of creating a value with an unsupported type
+// (like "opaque").
+class DeltaUnsupportedCreate : public ValDelta
+	{
+public:
+	DeltaUnsupportedCreate(const ValTrace* _vt) : ValDelta(_vt) { }
+
+	std::string Generate(ValTraceMgr* vtm) const override;
 	};
 
 // Manages the changes to (or creation of) a variable used to represent
@@ -385,6 +393,19 @@ public:
 	// needs to be global (because it's used across multiple events).
 	bool IsGlobal(const ValPtr& v) const { return globals.count(v.get()) > 0; }
 
+	// Returns or sets the "base time" from which eligible times are
+	// transformed into offsets rather than maintained as absolute
+	// values.
+	double GetBaseTime() const { return base_time; }
+	void SetBaseTime(double bt) { base_time = bt; }
+
+	// Returns a Zeek script representation of the given "time" value.
+	// This might be relative to base_time or might be absolute.
+	std::string TimeConstant(double t);
+
+	// Returns the array of per-type-tag constants.
+	const auto& GetConstants() const { return constants; }
+
 private:
 	// Traces the given value, which we may-or-may-not have seen before.
 	void AddVal(ValPtr v);
@@ -404,6 +425,17 @@ private:
 	// Create and track a script variable associated with the given value.
 	void TrackVar(const Val* vt);
 
+	// Generates a name for a value.
+	std::string GenValName(const ValPtr& v);
+
+	// True if the given value is an unspecified (and empty set,
+	// table, or vector appearing as a constant rather than an
+	// already-typed value).
+	bool IsUnspecifiedAggregate(const ValPtr& v) const;
+
+	// True if the given value has an unsupported type.
+	bool IsUnsupported(const Val* v) const;
+
 	// Maps values to their associated traces.
 	std::unordered_map<const Val*, std::shared_ptr<ValTrace>> val_map;
 
@@ -423,6 +455,15 @@ private:
 	// to be global.
 	std::unordered_set<const Val*> globals;
 
+	// Indexed by type tag, stores an ordered set of all of the distinct
+	// representations of constants of that type.
+	std::array<std::set<std::string>, NUM_TYPES> constants;
+
+	// If non-zero, then we've established a "base time" and will report
+	// time constants as offsets from it (when reasonable, i.e., no
+	// negative offsets, and base_time can't be too close to 0.0).
+	double base_time = 0.0;
+
 	// The event we're currently tracing.
 	std::shared_ptr<EventTrace> curr_ev;
 
diff --git a/src/Expr.cc b/src/Expr.cc
index 1a7c06020a..bcd9ac96ae 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -2932,7 +2932,13 @@ ValPtr IndexExpr::Fold(Val* v1, Val* v2) const
 			const ListVal* lv = v2->AsListVal();
 
 			if ( lv->Length() == 1 )
-				v = vect->ValAt(lv->Idx(0)->CoerceToUnsigned());
+				{
+				auto index = lv->Idx(0)->CoerceToInt();
+				if ( index < 0 )
+					index = vect->Size() + index;
+
+				v = vect->ValAt(index);
+				}
 			else
 				return index_slice(vect, lv);
 			}
@@ -4279,7 +4285,8 @@ ScheduleTimer::~ScheduleTimer() { }
 void ScheduleTimer::Dispatch(double /* t */, bool /* is_expire */)
 	{
 	if ( event )
-		event_mgr.Enqueue(event, std::move(args));
+		event_mgr.Enqueue(event, std::move(args), util::detail::SOURCE_LOCAL, 0, nullptr,
+		                  this->Time());
 	}
 
 ScheduleExpr::ScheduleExpr(ExprPtr arg_when, EventExprPtr arg_event)
diff --git a/src/File.cc b/src/File.cc
index 44c78ccd91..864a0cc37f 100644
--- a/src/File.cc
+++ b/src/File.cc
@@ -202,16 +202,8 @@ void File::SetBuf(bool arg_buffered)
 	if ( ! f )
 		return;
 
-#ifndef _MSC_VER
-	if ( setvbuf(f, NULL, arg_buffered ? _IOFBF : _IOLBF, 0) != 0 )
+	if ( util::detail::setvbuf(f, NULL, arg_buffered ? _IOFBF : _IOLBF, 0) != 0 )
 		reporter->Error("setvbuf failed");
-#else
-	// TODO: this turns off buffering altogether because Windows wants us to pass a valid
-	// buffer and length if we're going to pass one of the other modes. We need to
-	// investigate the performance ramifications of this.
-	if ( setvbuf(f, NULL, _IONBF, 0) != 0 )
-		reporter->Error("setvbuf failed");
-#endif
 
 	buffered = arg_buffered;
 	}
diff --git a/src/IP.cc b/src/IP.cc
index 315f5e4dd0..22c1229abd 100644
--- a/src/IP.cc
+++ b/src/IP.cc
@@ -390,10 +390,14 @@ RecordValPtr IP_Hdr::ToIPHdrVal() const
 		rval->Assign(1, ip4->ip_tos);
 		rval->Assign(2, ntohs(ip4->ip_len));
 		rval->Assign(3, ntohs(ip4->ip_id));
-		rval->Assign(4, ip4->ip_ttl);
-		rval->Assign(5, ip4->ip_p);
-		rval->Assign(6, make_intrusive<AddrVal>(ip4->ip_src.s_addr));
-		rval->Assign(7, make_intrusive<AddrVal>(ip4->ip_dst.s_addr));
+		rval->Assign(4, DF());
+		rval->Assign(5, MF());
+		rval->Assign(6, FragOffset()); // 13 bit offset as multiple of 8
+		rval->Assign(7, ip4->ip_ttl);
+		rval->Assign(8, ip4->ip_p);
+		rval->Assign(9, ntohs(ip4->ip_sum));
+		rval->Assign(10, make_intrusive<AddrVal>(ip4->ip_src.s_addr));
+		rval->Assign(11, make_intrusive<AddrVal>(ip4->ip_dst.s_addr));
 		}
 	else
 		{
diff --git a/src/Options.cc b/src/Options.cc
index d937957f90..ac4da88099 100644
--- a/src/Options.cc
+++ b/src/Options.cc
@@ -166,6 +166,8 @@ void usage(const char* prog, int code)
 	        util::zeek_prefixes().c_str());
 	fprintf(stderr, "    $ZEEK_DNS_FAKE                  | disable DNS lookups (%s)\n",
 	        fake_dns() ? "on" : "off");
+	fprintf(stderr, "    $ZEEK_SEED_VALUES               | list of space separated seeds (%s)\n",
+	        getenv("ZEEK_SEED_VALUES") ? "set" : "not set");
 	fprintf(stderr, "    $ZEEK_SEED_FILE                 | file to load seeds from (not set)\n");
 	fprintf(stderr, "    $ZEEK_LOG_SUFFIX                | ASCII log file extension (.%s)\n",
 	        logging::writer::detail::Ascii::LogExt().c_str());
diff --git a/src/ScriptCoverageManager.cc b/src/ScriptCoverageManager.cc
index ab56f3b793..679bf8e206 100644
--- a/src/ScriptCoverageManager.cc
+++ b/src/ScriptCoverageManager.cc
@@ -10,8 +10,7 @@
 
 #include "zeek/Desc.h"
 #include "zeek/Reporter.h"
-#include "zeek/Stmt.h"
-#include "zeek/util.h"
+#include "zeek/Type.h"
 
 using namespace std;
 
@@ -20,19 +19,17 @@ namespace zeek::detail
 
 ScriptCoverageManager::ScriptCoverageManager() : ignoring(0), delim('\t') { }
 
-ScriptCoverageManager::~ScriptCoverageManager()
-	{
-	for ( auto& s : stmts )
-		Unref(s);
-	}
-
 void ScriptCoverageManager::AddStmt(Stmt* s)
 	{
 	if ( ignoring != 0 )
 		return;
 
-	Ref(s);
-	stmts.push_back(s);
+	stmts.push_back({NewRef{}, s});
+	}
+
+void ScriptCoverageManager::AddFunction(IDPtr func_id, StmtPtr body)
+	{
+	func_instances.push_back({func_id, body});
 	}
 
 bool ScriptCoverageManager::ReadStats()
@@ -127,31 +124,47 @@ bool ScriptCoverageManager::WriteStats()
 		return false;
 		}
 
-	for ( auto s : stmts )
+	for ( auto& s : stmts )
 		{
-		ODesc location_info;
-		s->GetLocationInfo()->Describe(&location_info);
 		ODesc desc_info;
 		s->Describe(&desc_info);
-		string desc(desc_info.Description());
-		canonicalize_desc cd{delim};
-		for_each(desc.begin(), desc.end(), cd);
-		pair<string, string> location_desc(location_info.Description(), desc);
-		if ( usage_map.find(location_desc) != usage_map.end() )
-			usage_map[location_desc] += s->GetAccessCount();
-		else
-			usage_map[location_desc] = s->GetAccessCount();
+		TrackUsage(s, desc_info.Description(), s->GetAccessCount());
 		}
 
-	map<pair<string, string>, uint64_t>::const_iterator it;
-	for ( auto& um : usage_map )
+	for ( auto& [func, body] : func_instances )
 		{
-		fprintf(f, "%" PRIu64 "%c%s%c%s\n", um.second, delim, um.first.first.c_str(), delim,
-		        um.first.second.c_str());
+		auto ft = func->GetType<FuncType>();
+		auto desc = ft->FlavorString() + " " + func->Name() + " BODY";
+
+		TrackUsage(body, desc, body->GetAccessCount());
 		}
 
+	for ( auto& [location_info, cnt] : usage_map )
+		Report(f, cnt, location_info.first, location_info.second);
+
 	fclose(f);
 	return true;
 	}
 
+void ScriptCoverageManager::TrackUsage(const ObjPtr& obj, std::string desc, uint64_t cnt)
+	{
+	ODesc location_info;
+	obj->GetLocationInfo()->Describe(&location_info);
+
+	static canonicalize_desc cd{delim};
+	for_each(desc.begin(), desc.end(), cd);
+
+	pair<string, string> location_desc(location_info.Description(), desc);
+
+	if ( usage_map.find(location_desc) != usage_map.end() )
+		usage_map[location_desc] += cnt;
+	else
+		usage_map[location_desc] = cnt;
+	}
+
+void ScriptCoverageManager::Report(FILE* f, uint64_t cnt, std::string loc, std::string desc)
+	{
+	fprintf(f, "%" PRIu64 "%c%s%c%s\n", cnt, delim, loc.c_str(), delim, desc.c_str());
+	}
+
 	} // namespace zeek::detail
diff --git a/src/ScriptCoverageManager.h b/src/ScriptCoverageManager.h
index b9c804ad79..72409002cb 100644
--- a/src/ScriptCoverageManager.h
+++ b/src/ScriptCoverageManager.h
@@ -5,12 +5,14 @@
 #include <string>
 #include <utility>
 
+#include "zeek/ID.h"
+#include "zeek/StmtBase.h"
 #include "zeek/util.h"
 
 namespace zeek::detail
 	{
 
-class Stmt;
+using ObjPtr = IntrusivePtr<Obj>;
 
 /**
  * A simple class for managing stats of Zeek script coverage across Zeek runs.
@@ -19,7 +21,7 @@ class ScriptCoverageManager
 	{
 public:
 	ScriptCoverageManager();
-	virtual ~ScriptCoverageManager();
+	virtual ~ScriptCoverageManager() = default;
 
 	/**
 	 * Imports Zeek script Stmt usage information from file pointed to by
@@ -46,12 +48,18 @@ public:
 	void DecIgnoreDepth() { ignoring--; }
 
 	void AddStmt(Stmt* s);
+	void AddFunction(IDPtr func_id, StmtPtr body);
 
 private:
 	/**
 	 * The current, global ScriptCoverageManager instance creates this list at parse-time.
 	 */
-	std::list<Stmt*> stmts;
+	std::list<StmtPtr> stmts;
+
+	/**
+	 * A similar list for tracking functions and their bodies.
+	 */
+	std::list<std::pair<IDPtr, StmtPtr>> func_instances;
 
 	/**
 	 * Indicates whether new statements will not be considered as part of
@@ -88,6 +96,17 @@ private:
 				c = ' ';
 			}
 		};
+
+	/**
+	 * Tracks the usage of a given object with a given description
+	 * and a given coverage count.
+	 */
+	void TrackUsage(const ObjPtr& obj, std::string desc, uint64_t cnt);
+
+	/**
+	 * Reports a single coverage instance.
+	 */
+	void Report(FILE* f, uint64_t cnt, std::string loc, std::string desc);
 	};
 
 extern ScriptCoverageManager script_coverage_mgr;
diff --git a/src/ScriptProfile.cc b/src/ScriptProfile.cc
index e96f1bf328..b4647b2d18 100644
--- a/src/ScriptProfile.cc
+++ b/src/ScriptProfile.cc
@@ -57,7 +57,7 @@ void ScriptProfile::Report(FILE* f, bool with_traces) const
 			calls += util::fmt("%s|", s.c_str());
 			counts += util::fmt("%d|", stats.call_count);
 			cpu += util::fmt("%f|", stats.cpu_time);
-			memory += util::fmt("%llu|", stats.memory);
+			memory += util::fmt("%" PRIu64 "|", stats.memory);
 			}
 
 		calls.pop_back();
diff --git a/src/SmithWaterman.cc b/src/SmithWaterman.cc
index 7e590b0ccb..a3a01eaf56 100644
--- a/src/SmithWaterman.cc
+++ b/src/SmithWaterman.cc
@@ -172,10 +172,7 @@ bool SubstringCmp::operator()(const Substring* bst1, const Substring* bst2) cons
 		return false;
 		}
 
-	if ( bst1->GetAlignments()[_index].index <= bst2->GetAlignments()[_index].index )
-		return true;
-
-	return false;
+	return (bst1->GetAlignments()[_index].index < bst2->GetAlignments()[_index].index);
 	}
 
 // A node in Smith-Waterman's dynamic programming matrix.  Each node
diff --git a/src/TunnelEncapsulation.cc b/src/TunnelEncapsulation.cc
index 3bd503a85a..8fd1041ff6 100644
--- a/src/TunnelEncapsulation.cc
+++ b/src/TunnelEncapsulation.cc
@@ -3,6 +3,7 @@
 #include "zeek/TunnelEncapsulation.h"
 
 #include "zeek/Conn.h"
+#include "zeek/Reporter.h"
 #include "zeek/util.h"
 
 namespace zeek
@@ -56,4 +57,15 @@ bool operator==(const EncapsulationStack& e1, const EncapsulationStack& e2)
 	return true;
 	}
 
+void EncapsulationStack::Pop()
+	{
+	if ( Depth() == 0 )
+		{
+		reporter->InternalWarning("Attempted to pop from empty EncapsulationStack\n");
+		return;
+		}
+
+	conns->pop_back();
+	}
+
 	} // namespace zeek
diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h
index 88258e297f..2702131441 100644
--- a/src/TunnelEncapsulation.h
+++ b/src/TunnelEncapsulation.h
@@ -249,6 +249,11 @@ public:
 		return nullptr;
 		}
 
+	/**
+	 * Pops the last element off the encapsulation stack.
+	 */
+	void Pop();
+
 protected:
 	std::vector<EncapsulatingConn>* conns;
 	};
diff --git a/src/Type.cc b/src/Type.cc
index e624809b62..97542ee008 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -1348,6 +1348,7 @@ TableValPtr RecordType::GetRecordFieldsVal(const RecordVal* rv) const
 		nr->Assign(1, logged);
 		nr->Assign(2, std::move(fv));
 		nr->Assign(3, FieldDefault(i));
+		nr->Assign(4, fd->GetAttr(detail::ATTR_OPTIONAL) != detail::Attr::nil);
 		auto field_name = make_intrusive<StringVal>(FieldName(i));
 		rval->Assign(std::move(field_name), std::move(nr));
 		}
diff --git a/src/Val.cc b/src/Val.cc
index 9b94c2dd97..a6d6fbfed5 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -6,6 +6,9 @@
 
 #include <netdb.h>
 #include <netinet/in.h>
+#define RAPIDJSON_HAS_STDSTRING 1
+#include <rapidjson/document.h>
+#include <rapidjson/error/en.h>
 #include <sys/param.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -1061,6 +1064,333 @@ StringValPtr StringVal::Replace(RE_Matcher* re, const String& repl, bool do_all)
 	return make_intrusive<StringVal>(new String(true, result, r - result));
 	}
 
+static std::variant<ValPtr, std::string> BuildVal(const rapidjson::Value& j, const TypePtr& t)
+	{
+	auto mismatch_err = [t, &j]()
+	{
+		std::string json_type;
+		switch ( j.GetType() )
+			{
+			case rapidjson::Type::kNullType:
+				json_type = "null";
+				break;
+			case rapidjson::Type::kFalseType:
+			case rapidjson::Type::kTrueType:
+				json_type = "bool";
+				break;
+			case rapidjson::Type::kObjectType:
+				json_type = "object";
+				break;
+			case rapidjson::Type::kArrayType:
+				json_type = "array";
+				break;
+			case rapidjson::Type::kStringType:
+				json_type = "string";
+				break;
+			case rapidjson::Type::kNumberType:
+				json_type = "number";
+				break;
+			default:
+				json_type = "unknown";
+			}
+
+		return util::fmt("cannot convert JSON type '%s' to Zeek type '%s'", json_type.c_str(),
+		                 type_name(t->Tag()));
+	};
+
+	if ( j.IsNull() )
+		return Val::nil;
+
+	switch ( t->Tag() )
+		{
+		case TYPE_BOOL:
+			{
+			if ( ! j.IsBool() )
+				return mismatch_err();
+
+			return val_mgr->Bool(j.GetBool());
+			}
+
+		case TYPE_INT:
+			{
+			if ( ! j.IsInt64() )
+				return mismatch_err();
+
+			return val_mgr->Int(j.GetInt64());
+			}
+
+		case TYPE_COUNT:
+			{
+			if ( ! j.IsUint64() )
+				return mismatch_err();
+
+			return val_mgr->Count(j.GetUint64());
+			}
+
+		case TYPE_TIME:
+			{
+			if ( ! j.IsNumber() )
+				return mismatch_err();
+
+			return make_intrusive<TimeVal>(j.GetDouble());
+			}
+
+		case TYPE_DOUBLE:
+			{
+			if ( ! j.IsNumber() )
+				return mismatch_err();
+
+			return make_intrusive<DoubleVal>(j.GetDouble());
+			}
+
+		case TYPE_INTERVAL:
+			{
+			if ( ! j.IsNumber() )
+				return mismatch_err();
+
+			return make_intrusive<IntervalVal>(j.GetDouble());
+			}
+
+		case TYPE_PORT:
+			{
+			if ( ! j.IsString() )
+				return mismatch_err();
+
+			int port = 0;
+			if ( j.GetStringLength() > 0 && j.GetStringLength() < 10 )
+				{
+				char* slash;
+				errno = 0;
+				port = strtol(j.GetString(), &slash, 10);
+				if ( ! errno )
+					{
+					++slash;
+					if ( util::streq(slash, "tcp") )
+						return val_mgr->Port(port, TRANSPORT_TCP);
+					else if ( util::streq(slash, "udp") )
+						return val_mgr->Port(port, TRANSPORT_UDP);
+					else if ( util::streq(slash, "icmp") )
+						return val_mgr->Port(port, TRANSPORT_ICMP);
+					else if ( util::streq(slash, "unknown") )
+						return val_mgr->Port(port, TRANSPORT_UNKNOWN);
+					}
+				}
+
+			return "wrong port format, must be /[0-9]{1,5}\\/(tcp|udp|icmp|unknown)/";
+			}
+
+		case TYPE_PATTERN:
+			{
+			if ( ! j.IsString() )
+				return mismatch_err();
+
+			std::string candidate(j.GetString(), j.GetStringLength());
+			if ( candidate.size() > 2 && candidate.front() == candidate.back() &&
+			     candidate.back() == '/' )
+				{
+				// Remove the '/'s
+				candidate.erase(0, 1);
+				candidate.erase(candidate.size() - 1);
+				}
+
+			auto re = std::make_unique<RE_Matcher>(candidate.c_str());
+			if ( ! re->Compile() )
+				return "error compiling pattern";
+
+			return make_intrusive<PatternVal>(re.release());
+			}
+
+		case TYPE_ADDR:
+		case TYPE_SUBNET:
+			{
+			if ( ! j.IsString() )
+				return mismatch_err();
+
+			int width = 0;
+			std::string candidate;
+
+			if ( t->Tag() == TYPE_ADDR )
+				candidate = std::string(j.GetString(), j.GetStringLength());
+			else
+				{
+				std::string_view subnet_sv(j.GetString(), j.GetStringLength());
+				auto pos = subnet_sv.find('/');
+				if ( pos == subnet_sv.npos )
+					return util::fmt("invalid value for subnet: '%s'", j.GetString());
+
+				candidate = std::string(j.GetString(), pos);
+
+				errno = 0;
+				char* end;
+				width = strtol(subnet_sv.data() + pos + 1, &end, 10);
+				if ( subnet_sv.data() + pos + 1 == end || errno )
+					return util::fmt("invalid value for subnet: '%s'", j.GetString());
+				}
+
+			if ( candidate.front() == '[' )
+				candidate.erase(0, 1);
+			if ( candidate.back() == ']' )
+				candidate.erase(candidate.size() - 1);
+
+			if ( t->Tag() == TYPE_ADDR )
+				return make_intrusive<AddrVal>(candidate);
+			else
+				return make_intrusive<SubNetVal>(candidate.c_str(), width);
+			}
+
+		case TYPE_ENUM:
+			{
+			if ( ! j.IsString() )
+				return mismatch_err();
+
+			auto et = t->AsEnumType();
+			auto intval = et->Lookup({j.GetString(), j.GetStringLength()});
+
+			if ( intval < 0 )
+				return util::fmt("'%s' is not a valid enum for '%s'.", j.GetString(),
+				                 et->GetName().c_str());
+
+			return et->GetEnumVal(intval);
+			}
+
+		case TYPE_STRING:
+			{
+			if ( ! j.IsString() )
+				return mismatch_err();
+
+			return make_intrusive<StringVal>(j.GetStringLength(), j.GetString());
+			}
+
+		case TYPE_TABLE:
+			{
+			if ( ! j.IsArray() )
+				return mismatch_err();
+
+			if ( ! t->IsSet() )
+				return util::fmt("tables are not supported");
+
+			auto tt = t->AsSetType();
+			auto tl = tt->GetIndices();
+			auto tv = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, tt});
+
+			for ( const auto& item : j.GetArray() )
+				{
+				std::variant<ValPtr, std::string> v;
+
+				if ( tl->GetTypes().size() == 1 )
+					v = BuildVal(item, tl->GetPureType());
+				else
+					v = BuildVal(item, tl);
+
+				if ( ! get_if<ValPtr>(&v) )
+					return v;
+
+				if ( ! std::get<ValPtr>(v) )
+					continue;
+
+				tv->Assign(std::move(std::get<ValPtr>(v)), nullptr);
+				}
+
+			return tv;
+			}
+
+		case TYPE_RECORD:
+			{
+			if ( ! j.IsObject() )
+				return mismatch_err();
+
+			auto rt = t->AsRecordType();
+			auto rv = make_intrusive<RecordVal>(IntrusivePtr{NewRef{}, rt});
+			for ( int i = 0; i < rt->NumFields(); ++i )
+				{
+				auto td_i = rt->FieldDecl(i);
+				auto m_it = j.FindMember(td_i->id);
+				bool has_member = m_it != j.MemberEnd();
+				bool member_is_null = has_member && m_it->value.IsNull();
+
+				if ( ! has_member || member_is_null )
+					{
+					if ( ! td_i->GetAttr(detail::ATTR_OPTIONAL) &&
+					     ! td_i->GetAttr(detail::ATTR_DEFAULT) )
+						return util::fmt("required field %s$%s is %s in JSON", t->GetName().c_str(),
+						                 td_i->id, member_is_null ? "null" : "missing");
+
+					continue;
+					}
+
+				auto v = BuildVal(m_it->value, td_i->type);
+				if ( ! get_if<ValPtr>(&v) )
+					return v;
+
+				rv->Assign(i, std::move(std::get<ValPtr>(v)));
+				}
+
+			return rv;
+			}
+
+		case TYPE_LIST:
+			{
+			if ( ! j.IsArray() )
+				return mismatch_err();
+
+			auto lt = t->AsTypeList();
+
+			if ( j.GetArray().Size() < lt->GetTypes().size() )
+				return "index type doesn't match";
+
+			auto lv = make_intrusive<ListVal>(TYPE_ANY);
+
+			for ( size_t i = 0; i < lt->GetTypes().size(); i++ )
+				{
+				auto v = BuildVal(j.GetArray()[i], lt->GetTypes()[i]);
+				if ( ! get_if<ValPtr>(&v) )
+					return v;
+
+				lv->Append(std::move(std::get<ValPtr>(v)));
+				}
+
+			return lv;
+			}
+
+		case TYPE_VECTOR:
+			{
+			if ( ! j.IsArray() )
+				return mismatch_err();
+
+			auto vt = t->AsVectorType();
+			auto vv = make_intrusive<VectorVal>(IntrusivePtr{NewRef{}, vt});
+			for ( const auto& item : j.GetArray() )
+				{
+				auto v = BuildVal(item, vt->Yield());
+				if ( ! get_if<ValPtr>(&v) )
+					return v;
+
+				if ( ! std::get<ValPtr>(v) )
+					continue;
+
+				vv->Assign(vv->Size(), std::move(std::get<ValPtr>(v)));
+				}
+
+			return vv;
+			}
+
+		default:
+			return util::fmt("type '%s' unsupport", type_name(t->Tag()));
+		}
+	}
+
+std::variant<ValPtr, std::string> detail::ValFromJSON(std::string_view json_str, const TypePtr& t)
+	{
+	rapidjson::Document doc;
+	rapidjson::ParseResult ok = doc.Parse(json_str.data(), json_str.length());
+
+	if ( ! ok )
+		return util::fmt("JSON parse error: %s Offset: %lu", rapidjson::GetParseError_En(ok.Code()),
+		                 ok.Offset());
+
+	return BuildVal(doc, t);
+	}
+
 ValPtr StringVal::DoClone(CloneState* state)
 	{
 	// We could likely treat this type as immutable and return a reference
diff --git a/src/Val.h b/src/Val.h
index 7290a6eacd..629dbe624e 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -6,6 +6,7 @@
 #include <array>
 #include <list>
 #include <unordered_map>
+#include <variant>
 #include <vector>
 
 #include "zeek/IntrusivePtr.h"
@@ -1794,4 +1795,12 @@ extern bool can_cast_value_to_type(const Val* v, Type* t);
 // specific instance later.
 extern bool can_cast_value_to_type(const Type* s, Type* t);
 
+namespace detail
+	{
+// Parses a JSON string into arbitrary Zeek data using std::variant to simulate functional exception
+// handling. Returns a ValPtr if parsing was successful, or a std::string containing an error
+// message if an error occurred.
+extern std::variant<ValPtr, std::string> ValFromJSON(std::string_view json_str, const TypePtr& t);
+	}
+
 	} // namespace zeek
diff --git a/src/Var.cc b/src/Var.cc
index 0686363121..d23edc0df8 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -14,6 +14,7 @@
 #include "zeek/IntrusivePtr.h"
 #include "zeek/Reporter.h"
 #include "zeek/Scope.h"
+#include "zeek/ScriptCoverageManager.h"
 #include "zeek/Stmt.h"
 #include "zeek/Traverse.h"
 #include "zeek/Val.h"
@@ -859,6 +860,8 @@ void end_func(StmtPtr body, const char* module_name, bool free_of_conditionals)
 	                                ingredients->FrameSize(), ingredients->Priority(),
 	                                ingredients->Groups());
 
+	script_coverage_mgr.AddFunction(id, ingredients->Body());
+
 	auto func_ptr = cast_intrusive<FuncVal>(id->GetVal())->AsFuncPtr();
 	auto func = cast_intrusive<ScriptFunc>(func_ptr);
 	func->SetScope(ingredients->Scope());
diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc
index 6a1c4725d7..f214350abb 100644
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@@ -863,6 +863,11 @@ void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig, u
 		return;
 		}
 
+	// If the parent is being removed or has finished, there's little point
+	// for a support analyzers to move packets forward.
+	if ( Parent()->Removing() || Parent()->IsFinished() )
+		return;
+
 	SupportAnalyzer* next_sibling = Sibling(true);
 
 	if ( next_sibling )
@@ -883,6 +888,11 @@ void SupportAnalyzer::ForwardStream(int len, const u_char* data, bool is_orig)
 		return;
 		}
 
+	// If the parent is being removed or has finished, there's little point
+	// for a support analyzers to move stream data forward.
+	if ( Parent()->Removing() || Parent()->IsFinished() )
+		return;
+
 	SupportAnalyzer* next_sibling = Sibling(true);
 
 	if ( next_sibling )
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index a3b6b297c9..6533841c95 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -154,7 +154,7 @@ public:
 	/**
 	 * Passes packet input to the analyzer for processing. The analyzer
 	 * will process the input with any support analyzers first and then
-	 * forward the data to DeliverStream(), which derived classes can
+	 * forward the data to DeliverPacket(), which derived classes can
 	 * override.
 	 *
 	 * Note that there is a separate method for stream input,
@@ -254,7 +254,7 @@ public:
 
 	/**
 	 * Hook for accessing packet input for parsing. This is called by
-	 * NextDeliverPacket() and can be overridden by derived classes.
+	 * NextPacket() and can be overridden by derived classes.
 	 * Parameters are the same.
 	 */
 	virtual void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq,
@@ -262,7 +262,7 @@ public:
 
 	/**
 	 * Hook for accessing stream input for parsing. This is called by
-	 * NextDeliverStream() and can be overridden by derived classes.
+	 * NextStream() and can be overridden by derived classes.
 	 * Parameters are the same.
 	 */
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt
index 496de66d32..ca901c3771 100644
--- a/src/analyzer/CMakeLists.txt
+++ b/src/analyzer/CMakeLists.txt
@@ -1,12 +1,14 @@
 zeek_add_subdir_library(
     analyzer
-    INTERNAL_DEPENDENCIES ${BIF_BUILD_TARGET}
-    INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}
+    INTERNAL_DEPENDENCIES
+    ${BIF_BUILD_TARGET}
+    INCLUDE_DIRS
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_BINARY_DIR}
     SOURCES
-        Analyzer.cc
-        Component.cc
-        Manager.cc
-)
+    Analyzer.cc
+    Component.cc
+    Manager.cc)
 
 # Treat BIFs as builtin (alternative mode).
 bif_target(analyzer.bif)
diff --git a/src/analyzer/protocol/bittorrent/CMakeLists.txt b/src/analyzer/protocol/bittorrent/CMakeLists.txt
index 2881d8339f..9c663bc3d0 100644
--- a/src/analyzer/protocol/bittorrent/CMakeLists.txt
+++ b/src/analyzer/protocol/bittorrent/CMakeLists.txt
@@ -2,13 +2,12 @@ zeek_add_plugin(
     Zeek
     BitTorrent
     SOURCES
-        BitTorrent.cc
-        BitTorrentTracker.cc
-        Plugin.cc
+    BitTorrent.cc
+    BitTorrentTracker.cc
+    Plugin.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        bittorrent.pac
-        bittorrent-analyzer.pac
-        bittorrent-protocol.pac
-)
+    bittorrent.pac
+    bittorrent-analyzer.pac
+    bittorrent-protocol.pac)
diff --git a/src/analyzer/protocol/conn-size/CMakeLists.txt b/src/analyzer/protocol/conn-size/CMakeLists.txt
index 5ed096d5c3..6780316ab5 100644
--- a/src/analyzer/protocol/conn-size/CMakeLists.txt
+++ b/src/analyzer/protocol/conn-size/CMakeLists.txt
@@ -2,9 +2,8 @@ zeek_add_plugin(
     Zeek
     ConnSize
     SOURCES
-        ConnSize.cc
-        Plugin.cc
+    ConnSize.cc
+    Plugin.cc
     BIFS
-        events.bif
-        functions.bif
-)
+    events.bif
+    functions.bif)
diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt
index 39cb498b6e..34b3f95ba8 100644
--- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt
+++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt
@@ -2,17 +2,16 @@ zeek_add_plugin(
     Zeek
     DCE_RPC
     SOURCES
-        DCE_RPC.cc
-        Plugin.cc
+    DCE_RPC.cc
+    Plugin.cc
     BIFS
-        consts.bif
-        types.bif
-        events.bif
+    consts.bif
+    types.bif
+    events.bif
     PAC
-        dce_rpc.pac
-        dce_rpc-protocol.pac
-        dce_rpc-analyzer.pac
-        dce_rpc-auth.pac
-        endpoint-atsvc.pac
-        endpoint-epmapper.pac
-)
+    dce_rpc.pac
+    dce_rpc-protocol.pac
+    dce_rpc-analyzer.pac
+    dce_rpc-auth.pac
+    endpoint-atsvc.pac
+    endpoint-epmapper.pac)
diff --git a/src/analyzer/protocol/dhcp/CMakeLists.txt b/src/analyzer/protocol/dhcp/CMakeLists.txt
index 2964060d82..c6623b56f0 100644
--- a/src/analyzer/protocol/dhcp/CMakeLists.txt
+++ b/src/analyzer/protocol/dhcp/CMakeLists.txt
@@ -2,14 +2,13 @@ zeek_add_plugin(
     Zeek
     DHCP
     SOURCES
-        DHCP.cc
-        Plugin.cc
+    DHCP.cc
+    Plugin.cc
     BIFS
-        events.bif
-        types.bif
+    events.bif
+    types.bif
     PAC
-        dhcp.pac
-        dhcp-protocol.pac
-        dhcp-analyzer.pac
-        dhcp-options.pac
-)
+    dhcp.pac
+    dhcp-protocol.pac
+    dhcp-analyzer.pac
+    dhcp-options.pac)
diff --git a/src/analyzer/protocol/dnp3/CMakeLists.txt b/src/analyzer/protocol/dnp3/CMakeLists.txt
index be084cf874..dd647498f8 100644
--- a/src/analyzer/protocol/dnp3/CMakeLists.txt
+++ b/src/analyzer/protocol/dnp3/CMakeLists.txt
@@ -2,13 +2,12 @@ zeek_add_plugin(
     Zeek
     DNP3
     SOURCES
-        DNP3.cc
-        Plugin.cc
+    DNP3.cc
+    Plugin.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        dnp3.pac
-        dnp3-analyzer.pac
-        dnp3-protocol.pac
-        dnp3-objects.pac
-)
+    dnp3.pac
+    dnp3-analyzer.pac
+    dnp3-protocol.pac
+    dnp3-objects.pac)
diff --git a/src/analyzer/protocol/dns/CMakeLists.txt b/src/analyzer/protocol/dns/CMakeLists.txt
index 8e6a9c8a93..7fbeec5e1e 100644
--- a/src/analyzer/protocol/dns/CMakeLists.txt
+++ b/src/analyzer/protocol/dns/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     DNS
     SOURCES
-        DNS.cc
-        Plugin.cc
+    DNS.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/analyzer/protocol/file/CMakeLists.txt b/src/analyzer/protocol/file/CMakeLists.txt
index 5408b1851c..ae574880cf 100644
--- a/src/analyzer/protocol/file/CMakeLists.txt
+++ b/src/analyzer/protocol/file/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     File
     SOURCES
-        File.cc
-        Plugin.cc
+    File.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/analyzer/protocol/finger/CMakeLists.txt b/src/analyzer/protocol/finger/CMakeLists.txt
index 056a5f93e2..39174c03c5 100644
--- a/src/analyzer/protocol/finger/CMakeLists.txt
+++ b/src/analyzer/protocol/finger/CMakeLists.txt
@@ -1,9 +1,8 @@
 spicy_add_analyzer(
-  NAME
+    NAME
     Finger
-  SOURCES
+    SOURCES
     finger.spicy
     finger.evt
-  LEGACY
-    legacy
-)
+    LEGACY
+    legacy)
diff --git a/src/analyzer/protocol/finger/legacy/CMakeLists.txt b/src/analyzer/protocol/finger/legacy/CMakeLists.txt
index 6f006489bd..3ad97bd66b 100644
--- a/src/analyzer/protocol/finger/legacy/CMakeLists.txt
+++ b/src/analyzer/protocol/finger/legacy/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     Finger
     SOURCES
-        Finger.cc
-        Plugin.cc
+    Finger.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/analyzer/protocol/ftp/CMakeLists.txt b/src/analyzer/protocol/ftp/CMakeLists.txt
index 3420c4eb5f..728c5ddc65 100644
--- a/src/analyzer/protocol/ftp/CMakeLists.txt
+++ b/src/analyzer/protocol/ftp/CMakeLists.txt
@@ -2,9 +2,8 @@ zeek_add_plugin(
     Zeek
     FTP
     SOURCES
-        FTP.cc
-        Plugin.cc
+    FTP.cc
+    Plugin.cc
     BIFS
-        events.bif
-        functions.bif
-)
+    events.bif
+    functions.bif)
diff --git a/src/analyzer/protocol/gnutella/CMakeLists.txt b/src/analyzer/protocol/gnutella/CMakeLists.txt
index 7177f2bb4b..58d28c5a37 100644
--- a/src/analyzer/protocol/gnutella/CMakeLists.txt
+++ b/src/analyzer/protocol/gnutella/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     Gnutella
     SOURCES
-        Gnutella.cc
-        Plugin.cc
+    Gnutella.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/analyzer/protocol/gssapi/CMakeLists.txt b/src/analyzer/protocol/gssapi/CMakeLists.txt
index c35ae4187b..454b45c5a2 100644
--- a/src/analyzer/protocol/gssapi/CMakeLists.txt
+++ b/src/analyzer/protocol/gssapi/CMakeLists.txt
@@ -2,13 +2,12 @@ zeek_add_plugin(
     Zeek
     GSSAPI
     SOURCES
-        GSSAPI.cc
-        Plugin.cc
+    GSSAPI.cc
+    Plugin.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        gssapi.pac
-        gssapi-protocol.pac
-        gssapi-analyzer.pac
-        ${PROJECT_SOURCE_DIR}/src/analyzer/protocol/asn1/asn1.pac
-)
+    gssapi.pac
+    gssapi-protocol.pac
+    gssapi-analyzer.pac
+    ${PROJECT_SOURCE_DIR}/src/analyzer/protocol/asn1/asn1.pac)
diff --git a/src/analyzer/protocol/http/CMakeLists.txt b/src/analyzer/protocol/http/CMakeLists.txt
index eb1f66e9f0..a0088de732 100644
--- a/src/analyzer/protocol/http/CMakeLists.txt
+++ b/src/analyzer/protocol/http/CMakeLists.txt
@@ -2,9 +2,8 @@ zeek_add_plugin(
     Zeek
     HTTP
     SOURCES
-        HTTP.cc
-        Plugin.cc
+    HTTP.cc
+    Plugin.cc
     BIFS
-        events.bif
-        functions.bif
-)
+    events.bif
+    functions.bif)
diff --git a/src/analyzer/protocol/ident/CMakeLists.txt b/src/analyzer/protocol/ident/CMakeLists.txt
index 549073420d..82c32491ee 100644
--- a/src/analyzer/protocol/ident/CMakeLists.txt
+++ b/src/analyzer/protocol/ident/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     Ident
     SOURCES
-        Ident.cc
-        Plugin.cc
+    Ident.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/analyzer/protocol/imap/CMakeLists.txt b/src/analyzer/protocol/imap/CMakeLists.txt
index 33f340b54f..257b1bf0bc 100644
--- a/src/analyzer/protocol/imap/CMakeLists.txt
+++ b/src/analyzer/protocol/imap/CMakeLists.txt
@@ -2,12 +2,11 @@ zeek_add_plugin(
     Zeek
     IMAP
     SOURCES
-        Plugin.cc
-        IMAP.cc
+    Plugin.cc
+    IMAP.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        imap.pac
-        imap-analyzer.pac
-        imap-protocol.pac
-)
+    imap.pac
+    imap-analyzer.pac
+    imap-protocol.pac)
diff --git a/src/analyzer/protocol/irc/CMakeLists.txt b/src/analyzer/protocol/irc/CMakeLists.txt
index a99f0a5b72..0791a61c79 100644
--- a/src/analyzer/protocol/irc/CMakeLists.txt
+++ b/src/analyzer/protocol/irc/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     IRC
     SOURCES
-        IRC.cc
-        Plugin.cc
+    IRC.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/analyzer/protocol/krb/CMakeLists.txt b/src/analyzer/protocol/krb/CMakeLists.txt
index 192b9cf2bc..a9ac783095 100644
--- a/src/analyzer/protocol/krb/CMakeLists.txt
+++ b/src/analyzer/protocol/krb/CMakeLists.txt
@@ -2,28 +2,27 @@ zeek_add_plugin(
     Zeek
     KRB
     SOURCES
-        Plugin.cc
-        KRB.cc
-        KRB_TCP.cc
+    Plugin.cc
+    KRB.cc
+    KRB_TCP.cc
     BIFS
-        types.bif
-        events.bif
+    types.bif
+    events.bif
     PAC
-        krb.pac
-        krb-protocol.pac
-        krb-analyzer.pac
-        krb-asn1.pac
-        krb-defs.pac
-        krb-types.pac
-        krb-padata.pac
-        ${PROJECT_SOURCE_DIR}/src/analyzer/protocol/asn1/asn1.pac
+    krb.pac
+    krb-protocol.pac
+    krb-analyzer.pac
+    krb-asn1.pac
+    krb-defs.pac
+    krb-types.pac
+    krb-padata.pac
+    ${PROJECT_SOURCE_DIR}/src/analyzer/protocol/asn1/asn1.pac
     PAC
-        krb_TCP.pac
-        krb-protocol.pac
-        krb-analyzer.pac
-        krb-asn1.pac
-        krb-defs.pac
-        krb-types.pac
-        krb-padata.pac
-        ${PROJECT_SOURCE_DIR}/src/analyzer/protocol/asn1/asn1.pac
-)
+    krb_TCP.pac
+    krb-protocol.pac
+    krb-analyzer.pac
+    krb-asn1.pac
+    krb-defs.pac
+    krb-types.pac
+    krb-padata.pac
+    ${PROJECT_SOURCE_DIR}/src/analyzer/protocol/asn1/asn1.pac)
diff --git a/src/analyzer/protocol/login/CMakeLists.txt b/src/analyzer/protocol/login/CMakeLists.txt
index 215d17dbd6..d2e78bd7ac 100644
--- a/src/analyzer/protocol/login/CMakeLists.txt
+++ b/src/analyzer/protocol/login/CMakeLists.txt
@@ -2,13 +2,12 @@ zeek_add_plugin(
     Zeek
     Login
     SOURCES
-        Login.cc
-        RSH.cc
-        Telnet.cc
-        Rlogin.cc
-        NVT.cc
-        Plugin.cc
+    Login.cc
+    RSH.cc
+    Telnet.cc
+    Rlogin.cc
+    NVT.cc
+    Plugin.cc
     BIFS
-        events.bif
-        functions.bif
-)
+    events.bif
+    functions.bif)
diff --git a/src/analyzer/protocol/mime/CMakeLists.txt b/src/analyzer/protocol/mime/CMakeLists.txt
index 6936945852..774766d2d8 100644
--- a/src/analyzer/protocol/mime/CMakeLists.txt
+++ b/src/analyzer/protocol/mime/CMakeLists.txt
@@ -7,8 +7,7 @@ zeek_add_plugin(
     Zeek
     MIME
     SOURCES
-        MIME.cc
-        Plugin.cc
+    MIME.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc
index 51870e1c00..22ccfb4899 100644
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@@ -1412,7 +1412,11 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 	if ( mime_end_entity )
 		analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal());
 
-	file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
+	if ( ! cur_entity_id.empty() )
+		file_mgr->EndOfFile(cur_entity_id);
+	else
+		file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
+
 	cur_entity_id.clear();
 	}
 
diff --git a/src/analyzer/protocol/modbus/CMakeLists.txt b/src/analyzer/protocol/modbus/CMakeLists.txt
index edb22e4727..1c2f078760 100644
--- a/src/analyzer/protocol/modbus/CMakeLists.txt
+++ b/src/analyzer/protocol/modbus/CMakeLists.txt
@@ -2,12 +2,11 @@ zeek_add_plugin(
     Zeek
     Modbus
     SOURCES
-        Modbus.cc
-        Plugin.cc
+    Modbus.cc
+    Plugin.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        modbus.pac
-        modbus-analyzer.pac
-        modbus-protocol.pac
-)
+    modbus.pac
+    modbus-analyzer.pac
+    modbus-protocol.pac)
diff --git a/src/analyzer/protocol/mqtt/CMakeLists.txt b/src/analyzer/protocol/mqtt/CMakeLists.txt
index 471be968bb..7c55d984d2 100644
--- a/src/analyzer/protocol/mqtt/CMakeLists.txt
+++ b/src/analyzer/protocol/mqtt/CMakeLists.txt
@@ -2,26 +2,25 @@ zeek_add_plugin(
     Zeek
     MQTT
     SOURCES
-        MQTT.cc
-        Plugin.cc
+    MQTT.cc
+    Plugin.cc
     BIFS
-        types.bif
-        events.bif
+    types.bif
+    events.bif
     PAC
-        mqtt.pac
-        mqtt-protocol.pac
-        commands/connect.pac
-        commands/connack.pac
-        commands/publish.pac
-        commands/puback.pac
-        commands/pubrec.pac
-        commands/pubrel.pac
-        commands/pubcomp.pac
-        commands/subscribe.pac
-        commands/suback.pac
-        commands/unsuback.pac
-        commands/unsubscribe.pac
-        commands/disconnect.pac
-        commands/pingreq.pac
-        commands/pingresp.pac
-)
+    mqtt.pac
+    mqtt-protocol.pac
+    commands/connect.pac
+    commands/connack.pac
+    commands/publish.pac
+    commands/puback.pac
+    commands/pubrec.pac
+    commands/pubrel.pac
+    commands/pubcomp.pac
+    commands/subscribe.pac
+    commands/suback.pac
+    commands/unsuback.pac
+    commands/unsubscribe.pac
+    commands/disconnect.pac
+    commands/pingreq.pac
+    commands/pingresp.pac)
diff --git a/src/analyzer/protocol/mysql/CMakeLists.txt b/src/analyzer/protocol/mysql/CMakeLists.txt
index deb369a18b..8dcecf637d 100644
--- a/src/analyzer/protocol/mysql/CMakeLists.txt
+++ b/src/analyzer/protocol/mysql/CMakeLists.txt
@@ -2,12 +2,11 @@ zeek_add_plugin(
     Zeek
     MySQL
     SOURCES
-        MySQL.cc
-        Plugin.cc
+    MySQL.cc
+    Plugin.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        mysql.pac
-        mysql-analyzer.pac
-        mysql-protocol.pac
-)
+    mysql.pac
+    mysql-analyzer.pac
+    mysql-protocol.pac)
diff --git a/src/analyzer/protocol/ncp/CMakeLists.txt b/src/analyzer/protocol/ncp/CMakeLists.txt
index 55805782b4..dd217f9977 100644
--- a/src/analyzer/protocol/ncp/CMakeLists.txt
+++ b/src/analyzer/protocol/ncp/CMakeLists.txt
@@ -2,11 +2,10 @@ zeek_add_plugin(
     Zeek
     NCP
     SOURCES
-        NCP.cc
-        Plugin.cc
+    NCP.cc
+    Plugin.cc
     BIFS
-        events.bif
-        consts.bif
+    events.bif
+    consts.bif
     PAC
-        ncp.pac
-)
+    ncp.pac)
diff --git a/src/analyzer/protocol/netbios/CMakeLists.txt b/src/analyzer/protocol/netbios/CMakeLists.txt
index e000eee6e5..ef2b863c4d 100644
--- a/src/analyzer/protocol/netbios/CMakeLists.txt
+++ b/src/analyzer/protocol/netbios/CMakeLists.txt
@@ -2,9 +2,8 @@ zeek_add_plugin(
     Zeek
     NetBIOS
     SOURCES
-        NetbiosSSN.cc
-        Plugin.cc
+    NetbiosSSN.cc
+    Plugin.cc
     BIFS
-        events.bif
-        functions.bif
-)
+    events.bif
+    functions.bif)
diff --git a/src/analyzer/protocol/ntlm/CMakeLists.txt b/src/analyzer/protocol/ntlm/CMakeLists.txt
index 340551d9ba..f5cf25b1fd 100644
--- a/src/analyzer/protocol/ntlm/CMakeLists.txt
+++ b/src/analyzer/protocol/ntlm/CMakeLists.txt
@@ -2,13 +2,12 @@ zeek_add_plugin(
     Zeek
     NTLM
     SOURCES
-        NTLM.cc
-        Plugin.cc
+    NTLM.cc
+    Plugin.cc
     BIFS
-        types.bif
-        events.bif
+    types.bif
+    events.bif
     PAC
-        ntlm.pac
-        ntlm-protocol.pac
-        ntlm-analyzer.pac
-)
+    ntlm.pac
+    ntlm-protocol.pac
+    ntlm-analyzer.pac)
diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt
index 3f38c34b8b..1a062716bd 100644
--- a/src/analyzer/protocol/ntp/CMakeLists.txt
+++ b/src/analyzer/protocol/ntp/CMakeLists.txt
@@ -2,14 +2,13 @@ zeek_add_plugin(
     Zeek
     NTP
     SOURCES
-        NTP.cc
-        Plugin.cc
+    NTP.cc
+    Plugin.cc
     BIFS
-        types.bif
-        events.bif
+    types.bif
+    events.bif
     PAC
-        ntp.pac
-        ntp-analyzer.pac
-        ntp-mode7.pac
-        ntp-protocol.pac
-)
+    ntp.pac
+    ntp-analyzer.pac
+    ntp-mode7.pac
+    ntp-protocol.pac)
diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index c202e40daf..d0ce8d964d 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -130,11 +130,25 @@
 
 refine flow NTP_Flow += {
 
+	%member{
+		bool flipped_;
+	%}
+
+	%init{
+		flipped_ = false;
+	%}
 
 	function proc_ntp_message(msg: NTP_PDU): bool
 		%{
 		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
+		// Flip roles for SERVER mode message from orig or a CLIENT mode message from resp.
+		if ( ((${msg.mode} == SERVER && is_orig()) || (${msg.mode} == CLIENT && ! is_orig())) && ! flipped_ )
+			{
+			connection()->zeek_analyzer()->Conn()->FlipRoles();
+			flipped_ = true;
+			}
+
 		if ( ! ntp_message )
 			return false;
 
diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
index 6c92aee1e8..dac60ebfc1 100644
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -1,5 +1,14 @@
 # This is the common part in the header format.
 # See RFC 5905 for details
+enum NTP_Mode {
+	SYMMETRIC_ACTIVE = 1,
+	SYMMETRIC_PASSIVE = 2,
+	CLIENT = 3,
+	SERVER = 4,
+	BROADCAST_SERVER = 5,
+	BROADCAST_CLIENT = 6,
+};
+
 type NTP_PDU(is_orig: bool) = record {
 	# The first byte of the NTP header contains the leap indicator,
 	# the version and the mode
diff --git a/src/analyzer/protocol/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt
index ad7fdc8a55..e8ee99dd46 100644
--- a/src/analyzer/protocol/pia/CMakeLists.txt
+++ b/src/analyzer/protocol/pia/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    Zeek
-    PIA
-    SOURCES
-        PIA.cc
-        Plugin.cc
-)
+zeek_add_plugin(Zeek PIA SOURCES PIA.cc Plugin.cc)
diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h
index 5a9babe55f..08d68b6aef 100644
--- a/src/analyzer/protocol/pia/PIA.h
+++ b/src/analyzer/protocol/pia/PIA.h
@@ -60,29 +60,22 @@ protected:
 	// sequence numbers for TCP) and chunks of a reassembled stream.
 	struct DataBlock
 		{
-		IP_Hdr* ip;
-		const u_char* data;
-		bool is_orig;
-		int len;
-		uint64_t seq;
-		DataBlock* next;
+		IP_Hdr* ip = nullptr;
+		const u_char* data = nullptr;
+		bool is_orig = false;
+		size_t len = 0;
+		size_t cap_len = 0;
+		uint64_t seq = 0;
+		DataBlock* next = nullptr;
 		};
 
 	struct Buffer
 		{
-		Buffer()
-			{
-			head = tail = nullptr;
-			size = 0;
-			chunks = 0;
-			state = INIT;
-			}
-
-		DataBlock* head;
-		DataBlock* tail;
-		int64_t size;
-		int64_t chunks;
-		State state;
+		DataBlock* head = nullptr;
+		DataBlock* tail = nullptr;
+		int64_t size = 0;
+		int64_t chunks = 0;
+		State state = INIT;
 		};
 
 	void AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data, bool is_orig,
diff --git a/src/analyzer/protocol/pop3/CMakeLists.txt b/src/analyzer/protocol/pop3/CMakeLists.txt
index 3de7ae5289..f5283b17e4 100644
--- a/src/analyzer/protocol/pop3/CMakeLists.txt
+++ b/src/analyzer/protocol/pop3/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     POP3
     SOURCES
-        POP3.cc
-        Plugin.cc
+    POP3.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/analyzer/protocol/radius/CMakeLists.txt b/src/analyzer/protocol/radius/CMakeLists.txt
index 62c541fa58..3239bc71c7 100644
--- a/src/analyzer/protocol/radius/CMakeLists.txt
+++ b/src/analyzer/protocol/radius/CMakeLists.txt
@@ -2,12 +2,11 @@ zeek_add_plugin(
     Zeek
     RADIUS
     SOURCES
-        RADIUS.cc
-        Plugin.cc
+    RADIUS.cc
+    Plugin.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        radius.pac
-        radius-analyzer.pac
-        radius-protocol.pac
-)
+    radius.pac
+    radius-analyzer.pac
+    radius-protocol.pac)
diff --git a/src/analyzer/protocol/rdp/CMakeLists.txt b/src/analyzer/protocol/rdp/CMakeLists.txt
index 836dc45ca8..2cc96a0768 100644
--- a/src/analyzer/protocol/rdp/CMakeLists.txt
+++ b/src/analyzer/protocol/rdp/CMakeLists.txt
@@ -2,19 +2,18 @@ zeek_add_plugin(
     Zeek
     RDP
     SOURCES
-        RDPEUDP.cc
-        RDP.cc
-        Plugin.cc
+    RDPEUDP.cc
+    RDP.cc
+    Plugin.cc
     BIFS
-        events.bif
-        types.bif
+    events.bif
+    types.bif
     PAC
-        rdp.pac
-        rdp-analyzer.pac
-        rdp-protocol.pac
-        ${PROJECT_SOURCE_DIR}/src/analyzer/protocol/asn1/asn1.pac
+    rdp.pac
+    rdp-analyzer.pac
+    rdp-protocol.pac
+    ${PROJECT_SOURCE_DIR}/src/analyzer/protocol/asn1/asn1.pac
     PAC
-        rdpeudp.pac
-        rdpeudp-analyzer.pac
-        rdpeudp-protocol.pac
-)
+    rdpeudp.pac
+    rdpeudp-analyzer.pac
+    rdpeudp-protocol.pac)
diff --git a/src/analyzer/protocol/rfb/CMakeLists.txt b/src/analyzer/protocol/rfb/CMakeLists.txt
index 0d902b55d7..ee23af1e88 100644
--- a/src/analyzer/protocol/rfb/CMakeLists.txt
+++ b/src/analyzer/protocol/rfb/CMakeLists.txt
@@ -2,12 +2,11 @@ zeek_add_plugin(
     Zeek
     RFB
     SOURCES
-        RFB.cc
-        Plugin.cc
+    RFB.cc
+    Plugin.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        rfb.pac
-        rfb-analyzer.pac
-        rfb-protocol.pac
-)
+    rfb.pac
+    rfb-analyzer.pac
+    rfb-protocol.pac)
diff --git a/src/analyzer/protocol/rpc/CMakeLists.txt b/src/analyzer/protocol/rpc/CMakeLists.txt
index e871ec1956..fcb3547b04 100644
--- a/src/analyzer/protocol/rpc/CMakeLists.txt
+++ b/src/analyzer/protocol/rpc/CMakeLists.txt
@@ -2,12 +2,11 @@ zeek_add_plugin(
     Zeek
     RPC
     SOURCES
-        RPC.cc
-        NFS.cc
-        MOUNT.cc
-        Portmap.cc
-        XDR.cc
-        Plugin.cc
+    RPC.cc
+    NFS.cc
+    MOUNT.cc
+    Portmap.cc
+    XDR.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/analyzer/protocol/sip/CMakeLists.txt b/src/analyzer/protocol/sip/CMakeLists.txt
index 1fb64bf0af..1d3d9a7d8d 100644
--- a/src/analyzer/protocol/sip/CMakeLists.txt
+++ b/src/analyzer/protocol/sip/CMakeLists.txt
@@ -2,17 +2,16 @@ zeek_add_plugin(
     Zeek
     SIP
     SOURCES
-        Plugin.cc
-        SIP.cc
-        SIP_TCP.cc
+    Plugin.cc
+    SIP.cc
+    SIP_TCP.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        sip.pac
-        sip-analyzer.pac
-        sip-protocol.pac
+    sip.pac
+    sip-analyzer.pac
+    sip-protocol.pac
     PAC
-        sip_TCP.pac
-        sip-protocol.pac
-        sip-analyzer.pac
-)
+    sip_TCP.pac
+    sip-protocol.pac
+    sip-analyzer.pac)
diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt
index 7466dbd263..4bd7cf1eee 100644
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@@ -2,88 +2,87 @@ zeek_add_plugin(
     Zeek
     SMB
     SOURCES
-        SMB.cc
-        Plugin.cc
+    SMB.cc
+    Plugin.cc
     BIFS
-        # SMB 1.
-	      smb1_com_check_directory.bif
-	      smb1_com_close.bif
-	      smb1_com_create_directory.bif
-	      smb1_com_echo.bif
-	      smb1_com_logoff_andx.bif
-	      smb1_com_negotiate.bif
-	      smb1_com_nt_create_andx.bif
-	      smb1_com_nt_cancel.bif
-	      smb1_com_query_information.bif
-	      smb1_com_read_andx.bif
-	      smb1_com_session_setup_andx.bif
-	      smb1_com_transaction.bif
-	      smb1_com_transaction_secondary.bif
-	      smb1_com_transaction2.bif
-	      smb1_com_transaction2_secondary.bif
-	      smb1_com_tree_connect_andx.bif
-	      smb1_com_tree_disconnect.bif
-	      smb1_com_write_andx.bif
-	      smb1_events.bif
-        # SMB 2.
-	      smb2_com_close.bif
-	      smb2_com_create.bif
-	      smb2_com_negotiate.bif
-	      smb2_com_read.bif
-	      smb2_com_session_setup.bif
-	      smb2_com_set_info.bif
-	      smb2_com_tree_connect.bif
-	      smb2_com_tree_disconnect.bif
-	      smb2_com_write.bif
-	      smb2_com_transform_header.bif
-	      smb2_events.bif
-        # Common boilerplate.
-	      events.bif
-	      consts.bif
-	      types.bif
+    # SMB 1.
+    smb1_com_check_directory.bif
+    smb1_com_close.bif
+    smb1_com_create_directory.bif
+    smb1_com_echo.bif
+    smb1_com_logoff_andx.bif
+    smb1_com_negotiate.bif
+    smb1_com_nt_create_andx.bif
+    smb1_com_nt_cancel.bif
+    smb1_com_query_information.bif
+    smb1_com_read_andx.bif
+    smb1_com_session_setup_andx.bif
+    smb1_com_transaction.bif
+    smb1_com_transaction_secondary.bif
+    smb1_com_transaction2.bif
+    smb1_com_transaction2_secondary.bif
+    smb1_com_tree_connect_andx.bif
+    smb1_com_tree_disconnect.bif
+    smb1_com_write_andx.bif
+    smb1_events.bif
+    # SMB 2.
+    smb2_com_close.bif
+    smb2_com_create.bif
+    smb2_com_negotiate.bif
+    smb2_com_read.bif
+    smb2_com_session_setup.bif
+    smb2_com_set_info.bif
+    smb2_com_tree_connect.bif
+    smb2_com_tree_disconnect.bif
+    smb2_com_write.bif
+    smb2_com_transform_header.bif
+    smb2_events.bif
+    # Common boilerplate.
+    events.bif
+    consts.bif
+    types.bif
     PAC
-        # Common boilerplate.
-	      smb.pac
-	      smb-common.pac
-	      smb-strings.pac
-	      smb-time.pac
-	      smb-pipe.pac
-	      smb-gssapi.pac
-	      smb-mailslot.pac
-        # SMB 1.
-	      smb1-protocol.pac
-	      smb1-com-check-directory.pac
-	      smb1-com-close.pac
-	      smb1-com-create-directory.pac
-	      smb1-com-echo.pac
-	      smb1-com-locking-andx.pac
-	      smb1-com-logoff-andx.pac
-	      smb1-com-negotiate.pac
-	      smb1-com-nt-cancel.pac
-	      smb1-com-nt-create-andx.pac
-	      smb1-com-nt-transact.pac
-	      smb1-com-query-information.pac
-	      smb1-com-read-andx.pac
-	      smb1-com-session-setup-andx.pac
-	      smb1-com-transaction-secondary.pac
-	      smb1-com-transaction.pac
-	      smb1-com-transaction2.pac
-	      smb1-com-transaction2-secondary.pac
-	      smb1-com-tree-connect-andx.pac
-	      smb1-com-tree-disconnect.pac
-	      smb1-com-write-andx.pac
-        # SMB 2.
-	      smb2-protocol.pac
-	      smb2-com-close.pac
-	      smb2-com-create.pac
-	      smb2-com-ioctl.pac
-	      smb2-com-lock.pac
-	      smb2-com-negotiate.pac
-	      smb2-com-read.pac
-	      smb2-com-session-setup.pac
-	      smb2-com-set-info.pac
-	      smb2-com-tree-connect.pac
-	      smb2-com-tree-disconnect.pac
-	      smb2-com-write.pac
-	      smb2-com-transform-header.pac
-)
+    # Common boilerplate.
+    smb.pac
+    smb-common.pac
+    smb-strings.pac
+    smb-time.pac
+    smb-pipe.pac
+    smb-gssapi.pac
+    smb-mailslot.pac
+    # SMB 1.
+    smb1-protocol.pac
+    smb1-com-check-directory.pac
+    smb1-com-close.pac
+    smb1-com-create-directory.pac
+    smb1-com-echo.pac
+    smb1-com-locking-andx.pac
+    smb1-com-logoff-andx.pac
+    smb1-com-negotiate.pac
+    smb1-com-nt-cancel.pac
+    smb1-com-nt-create-andx.pac
+    smb1-com-nt-transact.pac
+    smb1-com-query-information.pac
+    smb1-com-read-andx.pac
+    smb1-com-session-setup-andx.pac
+    smb1-com-transaction-secondary.pac
+    smb1-com-transaction.pac
+    smb1-com-transaction2.pac
+    smb1-com-transaction2-secondary.pac
+    smb1-com-tree-connect-andx.pac
+    smb1-com-tree-disconnect.pac
+    smb1-com-write-andx.pac
+    # SMB 2.
+    smb2-protocol.pac
+    smb2-com-close.pac
+    smb2-com-create.pac
+    smb2-com-ioctl.pac
+    smb2-com-lock.pac
+    smb2-com-negotiate.pac
+    smb2-com-read.pac
+    smb2-com-session-setup.pac
+    smb2-com-set-info.pac
+    smb2-com-tree-connect.pac
+    smb2-com-tree-disconnect.pac
+    smb2-com-write.pac
+    smb2-com-transform-header.pac)
diff --git a/src/analyzer/protocol/smb/consts.bif b/src/analyzer/protocol/smb/consts.bif
index 321875b43d..6acd464f6a 100644
--- a/src/analyzer/protocol/smb/consts.bif
+++ b/src/analyzer/protocol/smb/consts.bif
@@ -1 +1,2 @@
-const SMB::pipe_filenames: string_set;
\ No newline at end of file
+const SMB::pipe_filenames: string_set;
+const SMB::max_pending_messages: count;
diff --git a/src/analyzer/protocol/smb/smb2-com-ioctl.pac b/src/analyzer/protocol/smb/smb2-com-ioctl.pac
index 8d65312f9d..d37320ae68 100644
--- a/src/analyzer/protocol/smb/smb2-com-ioctl.pac
+++ b/src/analyzer/protocol/smb/smb2-com-ioctl.pac
@@ -17,6 +17,17 @@ refine connection SMB_Conn += {
 
 	function proc_smb2_ioctl_request(val: SMB2_ioctl_request) : bool
 		%{
+		if ( zeek::BifConst::SMB::max_pending_messages > 0 &&
+		     smb2_ioctl_fids.size() >= zeek::BifConst::SMB::max_pending_messages )
+			{
+			if ( smb2_discarded_messages_state )
+				zeek::BifEvent::enqueue_smb2_discarded_messages_state(zeek_analyzer(), zeek_analyzer()->Conn(),
+				                                                     zeek::make_intrusive<zeek::StringVal>("ioctl"));
+
+
+			smb2_ioctl_fids.clear();
+			}
+
 		smb2_ioctl_fids[${val.header.message_id}] = ${val.file_id.persistent} + ${val.file_id._volatile};
 		return true;
 		%}
diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac
index 04679d804f..d9b2d7cf7f 100644
--- a/src/analyzer/protocol/smb/smb2-com-read.pac
+++ b/src/analyzer/protocol/smb/smb2-com-read.pac
@@ -34,6 +34,17 @@ refine connection SMB_Conn += {
 			                                    ${val.read_len});
 			}
 
+		if ( zeek::BifConst::SMB::max_pending_messages > 0 &&
+		     (smb2_read_offsets.size() >= zeek::BifConst::SMB::max_pending_messages ||
+		      smb2_read_fids.size() >= zeek::BifConst::SMB::max_pending_messages) )
+			{
+			if ( smb2_discarded_messages_state )
+				zeek::BifEvent::enqueue_smb2_discarded_messages_state(zeek_analyzer(), zeek_analyzer()->Conn(),
+				                                                      zeek::make_intrusive<zeek::StringVal>("read"));
+			smb2_read_offsets.clear();
+			smb2_read_fids.clear();
+			}
+
 		smb2_read_offsets[${h.message_id}] = ${val.offset};
 		smb2_read_fids[${h.message_id}] = ${val.file_id.persistent} + ${val.file_id._volatile};
 
diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac
index 3c354d3216..f8126ba3bf 100644
--- a/src/analyzer/protocol/smb/smb2-protocol.pac
+++ b/src/analyzer/protocol/smb/smb2-protocol.pac
@@ -230,6 +230,16 @@ refine connection SMB_Conn += {
 		%{
 		if ( is_orig )
 			{
+			if ( zeek::BifConst::SMB::max_pending_messages > 0 &&
+			     smb2_request_tree_id.size() >= zeek::BifConst::SMB::max_pending_messages )
+				{
+				if ( smb2_discarded_messages_state )
+					zeek::BifEvent::enqueue_smb2_discarded_messages_state(zeek_analyzer(), zeek_analyzer()->Conn(),
+					                                                     zeek::make_intrusive<zeek::StringVal>("tree"));
+
+				smb2_request_tree_id.clear();
+				}
+
 			// Store the tree_id
 			smb2_request_tree_id[${h.message_id}] = ${h.tree_id};
 			}
diff --git a/src/analyzer/protocol/smb/smb2_events.bif b/src/analyzer/protocol/smb/smb2_events.bif
index 2071a0600e..9ef661df77 100644
--- a/src/analyzer/protocol/smb/smb2_events.bif
+++ b/src/analyzer/protocol/smb/smb2_events.bif
@@ -15,3 +15,16 @@
 ##
 ## .. zeek:see:: smb1_message
 event smb2_message%(c: connection, hdr: SMB2::Header, is_orig: bool%);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 connections for which pending read, ioctl or tree requests exceeds
+## the :zeek:see:`SMB::max_pending_messages` setting. This event indicates either
+## traffic loss, traffic load-balancing issues, or failures to parse or match
+## SMB responses with SMB requests. When this event is raised, internal per-connection
+## parser state has been reset.
+##
+## c: The affected connection.
+##
+## state: String describing what kind of state was affected.
+##        One of read, ioctl or tree.
+event smb2_discarded_messages_state%(c: connection, state: string%);
diff --git a/src/analyzer/protocol/smtp/CMakeLists.txt b/src/analyzer/protocol/smtp/CMakeLists.txt
index e1618af641..b302045985 100644
--- a/src/analyzer/protocol/smtp/CMakeLists.txt
+++ b/src/analyzer/protocol/smtp/CMakeLists.txt
@@ -2,9 +2,8 @@ zeek_add_plugin(
     Zeek
     SMTP
     SOURCES
-        SMTP.cc
-        Plugin.cc
+    SMTP.cc
+    Plugin.cc
     BIFS
-        events.bif
-        functions.bif
-)
+    events.bif
+    functions.bif)
diff --git a/src/analyzer/protocol/snmp/CMakeLists.txt b/src/analyzer/protocol/snmp/CMakeLists.txt
index d93762aa75..48c829d91b 100644
--- a/src/analyzer/protocol/snmp/CMakeLists.txt
+++ b/src/analyzer/protocol/snmp/CMakeLists.txt
@@ -2,14 +2,13 @@ zeek_add_plugin(
     Zeek
     SNMP
     SOURCES
-        SNMP.cc
-        Plugin.cc
+    SNMP.cc
+    Plugin.cc
     BIFS
-        types.bif
-        events.bif
+    types.bif
+    events.bif
     PAC
-        snmp.pac
-        snmp-protocol.pac
-        snmp-analyzer.pac
-        ${PROJECT_SOURCE_DIR}/src/analyzer/protocol/asn1/asn1.pac
-)
+    snmp.pac
+    snmp-protocol.pac
+    snmp-analyzer.pac
+    ${PROJECT_SOURCE_DIR}/src/analyzer/protocol/asn1/asn1.pac)
diff --git a/src/analyzer/protocol/socks/CMakeLists.txt b/src/analyzer/protocol/socks/CMakeLists.txt
index fa0e6b083d..7d11ee70d5 100644
--- a/src/analyzer/protocol/socks/CMakeLists.txt
+++ b/src/analyzer/protocol/socks/CMakeLists.txt
@@ -2,12 +2,11 @@ zeek_add_plugin(
     Zeek
     SOCKS
     SOURCES
-        SOCKS.cc
-        Plugin.cc
+    SOCKS.cc
+    Plugin.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        socks.pac
-        socks-protocol.pac
-        socks-analyzer.pac
-)
+    socks.pac
+    socks-protocol.pac
+    socks-analyzer.pac)
diff --git a/src/analyzer/protocol/ssh/CMakeLists.txt b/src/analyzer/protocol/ssh/CMakeLists.txt
index 6205089530..f2364bffef 100644
--- a/src/analyzer/protocol/ssh/CMakeLists.txt
+++ b/src/analyzer/protocol/ssh/CMakeLists.txt
@@ -2,14 +2,13 @@ zeek_add_plugin(
     Zeek
     SSH
     SOURCES
-        SSH.cc
-        Plugin.cc
+    SSH.cc
+    Plugin.cc
     BIFS
-        types.bif
-        events.bif
+    types.bif
+    events.bif
     PAC
-        ssh.pac
-        ssh-analyzer.pac
-        ssh-protocol.pac
-        consts.pac
-)
+    ssh.pac
+    ssh-analyzer.pac
+    ssh-protocol.pac
+    consts.pac)
diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt
index 6431a31876..4d49622f57 100644
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@@ -2,34 +2,34 @@ zeek_add_plugin(
     Zeek
     SSL
     SOURCES
-#        SSL.cc
-#        DTLS.cc
-        Plugin.cc
+    #    SSL.cc
+    #    DTLS.cc
+    Plugin.cc
     BIFS
-#        types.bif
-#        events.bif
-        functions.bif
-#        consts.bif
-#    PAC
-#        tls-handshake.pac
-#        tls-handshake-protocol.pac
-#        tls-handshake-analyzer.pac
-#        ssl-defs.pac
-#        proc-certificate.pac
-#        tls-handshake-signed_certificate_timestamp.pac
-#    PAC
-#        ssl.pac
-#        ssl-dtls-analyzer.pac
-#        ssl-analyzer.pac
-#        ssl-dtls-protocol.pac
-#        ssl-protocol.pac
-#        ssl-defs.pac
-#        proc-certificate.pac
-#    PAC
-#        dtls.pac
-#        ssl-dtls-analyzer.pac
-#        dtls-analyzer.pac
-#        ssl-dtls-protocol.pac
-#        dtls-protocol.pac
-#        ssl-defs.pac
+    #    types.bif
+    #    events.bif
+    functions.bif
+    #    consts.bif
+    #    PAC
+    #    tls-handshake.pac
+    #    tls-handshake-protocol.pac
+    #    tls-handshake-analyzer.pac
+    #    ssl-defs.pac
+    #    proc-certificate.pac
+    #    tls-handshake-signed_certificate_timestamp.pac
+    #    PAC
+    #    ssl.pac
+    #    ssl-dtls-analyzer.pac
+    #    ssl-analyzer.pac
+    #    ssl-dtls-protocol.pac
+    #    ssl-protocol.pac
+    #    ssl-defs.pac
+    #    proc-certificate.pac
+    #    PAC
+    #    dtls.pac
+    #    ssl-dtls-analyzer.pac
+    #    dtls-analyzer.pac
+    #    ssl-dtls-protocol.pac
+    #    dtls-protocol.pac
+    #    ssl-defs.pac)
 )
diff --git a/src/analyzer/protocol/ssl/dtls-analyzer.pac b/src/analyzer/protocol/ssl/dtls-analyzer.pac
index 1a68e0d846..be60fdfc77 100644
--- a/src/analyzer/protocol/ssl/dtls-analyzer.pac
+++ b/src/analyzer/protocol/ssl/dtls-analyzer.pac
@@ -138,6 +138,33 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+		function proc_unified_record(is_orig: bool, ur: UnifiedRecord) : bool
+			%{
+			// we don't have a CCS packet anymore - so let's just assume the connection is established once we have seen a packet from each direction.
+			if ( is_orig )
+				client_state_ = STATE_ENCRYPTED;
+			else
+				server_state_ = STATE_ENCRYPTED;
+
+			if ( client_state_ == STATE_ENCRYPTED && server_state_ == STATE_ENCRYPTED && established_ == false )
+				{
+				established_ = true;
+				if ( ssl_established )
+					zeek::BifEvent::enqueue_ssl_established(zeek_analyzer(), zeek_analyzer()->Conn());
+				}
+
+			if ( ssl_encrypted_data )
+				{
+				// In case a CID is given, swallow is not quite the correct length, because we are not parsing the entire header. This is not entirely
+				// trivial to work around, and the workaround won't work in all cases - and it might also not matter.
+				// We also have more potentially interesting information (the sequence number) - which we don't currently give to scriptland.
+				zeek::BifEvent::enqueue_ssl_encrypted_data(zeek_analyzer(),
+					zeek_analyzer()->Conn(), is_orig ^ zeek_analyzer()->GetFlipped(), DTLSv13, APPLICATION_DATA, ur->swallow().length());
+				}
+
+			return true;
+			%}
 };
 
 refine typeattr SSLRecord += &let {
@@ -147,3 +174,7 @@ refine typeattr SSLRecord += &let {
 refine typeattr Handshake += &let {
 	proc: bool = $context.connection.proc_handshake(rec, this);
 };
+
+refine typeattr UnifiedRecord += &let {
+	proc: bool = $context.connection.proc_unified_record(is_orig, this);
+};
diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac
index 760a0bc4e4..3d316cd636 100644
--- a/src/analyzer/protocol/ssl/dtls-protocol.pac
+++ b/src/analyzer/protocol/ssl/dtls-protocol.pac
@@ -4,11 +4,45 @@
 ######################################################################
 
 type DTLSPDU(is_orig: bool) = record {
-	records: SSLRecord(is_orig)[] &transient;
+	records: SSLRecordSwitch(is_orig)[] &transient;
 };
 
-type SSLRecord(is_orig: bool) = record {
-	content_type: uint8;
+# This feels like (another) really dirty hack. DTLS 1.3 introduces a new way in which ciphertext records
+# can be encoded, using a new unified header, which is completely different from the earlier DTLS headers.
+# It only is used after the client & server hello - which essentially are the same as in DTLS 1.2 (including
+# using the same record-layer versions - which is why `dtls_version_ok` underneath does not refer to DTLS 1.3)
+# The DTLS 1.3 unified header is signaled by the first 3 bits of the first byte being set to `001`, but only
+# after DTLS 1.3 has been negotiated.
+type SSLRecordSwitch(is_orig: bool) = record {
+	firstbyte: uint8;
+
+	cont: case $context.connection.is_unified_record(firstbyte) of {
+		false -> rec: SSLRecord(firstbyte, is_orig);
+		true -> unified: UnifiedRecord(firstbyte, is_orig);
+	};
+};
+
+type UnifiedRecord(firstbyte: uint8, is_orig: bool) = record {
+	# If we have a CID, we do currently not try to parse anything, as the connection
+	# ID is variable length, with the length not given in this packet (but only in the hello message
+	# of the opposite side of the direction).
+	seqnum: case with_cid of {
+		false -> sequence_number: bytestring &length=(sequence_number_length?2:1);
+		true -> nothing1: bytestring &length=0;
+	} &requires(sequence_number_length) &requires(with_cid);
+	lengthfield: case (with_cid == false && length_present == true) of {
+		true -> length: uint16;
+		false -> nothing2: bytestring &length=0;
+	} &requires(length_present) &requires(with_cid);
+	swallow: bytestring &restofdata;
+} &let {
+	with_cid: bool = ((firstbyte&0x10)==0x10);
+	sequence_number_length: bool = ((firstbyte&0x08)==0x08);
+	length_present: bool = ((firstbyte&0x04)==0x04);
+	epoch_low_bits: uint8 = (firstbyte&0x03);
+} &byteorder = bigendian;
+
+type SSLRecord(content_type: uint8, is_orig: bool) = record {
 	version: uint16;
 # the epoch signalizes that a changecipherspec message has been received. Hence, everything with
 # an epoch > 0 should be encrypted
@@ -83,4 +117,9 @@ refine connection SSL_Conn += {
 		}
 		%}
 
+		function is_unified_record(firstbyte: uint8): bool
+			%{
+			uint16_t negotiated_version = zeek_analyzer()->GetNegotiatedVersion();
+			return negotiated_version == DTLSv13 && ( (firstbyte & 0xE0) == 0x20 );
+			%}
 };
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 7749c5c758..3a6e0e3ff7 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -106,7 +106,7 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po
 ##    ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-##    ssl_connection_flipped
+##    ssl_connection_flipped ssl_extension_connection_id
 event ssl_extension%(c: connection, is_client: bool, code: count, val: string%);
 
 ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
@@ -129,6 +129,7 @@ event ssl_extension%(c: connection, is_client: bool, code: count, val: string%);
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_elliptic_curves%(c: connection, is_client: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -153,6 +154,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_client: bool, curves: ind
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_ec_point_formats%(c: connection, is_client: bool, point_formats: index_vec%);
 
 ## Generated for an Signature Algorithms extension. This TLS extension
@@ -176,6 +178,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_client: bool, point_form
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_signature_algorithm%(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
 
 ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
@@ -198,6 +201,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_client: bool, signatu
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_key_share%(c: connection, is_client: bool, curves: index_vec%);
 
 ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.
@@ -222,6 +226,7 @@ event ssl_extension_key_share%(c: connection, is_client: bool, curves: index_vec
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello
+##    ssl_extension_connection_id
 event ssl_extension_pre_shared_key_client_hello%(c: connection, is_client: bool, identities: psk_identity_vec, binders: string_vec%);
 
 ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.
@@ -242,6 +247,7 @@ event ssl_extension_pre_shared_key_client_hello%(c: connection, is_client: bool,
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_pre_shared_key_server_hello%(c: connection, is_client: bool, selected_identity: count%);
 
 ## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
@@ -360,6 +366,7 @@ event ssl_rsa_client_pms%(c: connection, pms: string%);
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_client: bool, protocols: string_vec%);
 
 ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
@@ -384,6 +391,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_cl
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_server_name%(c: connection, is_client: bool, names: string_vec%);
 
 ## Generated for the signed_certificate_timestamp TLS extension as defined in
@@ -417,6 +425,7 @@ event ssl_extension_server_name%(c: connection, is_client: bool, names: string_v
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    x509_ocsp_ext_signed_certificate_timestamp sct_verify
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_signed_certificate_timestamp%(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
 
 ## Generated for an TLS Supported Versions extension. This TLS extension
@@ -439,6 +448,7 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_client: bool
 ##    ssl_extension_key_share ssl_extension_server_name
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_supported_versions%(c: connection, is_client: bool, versions: index_vec%);
 
 ## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
@@ -459,8 +469,30 @@ event ssl_extension_supported_versions%(c: connection, is_client: bool, versions
 ##    ssl_extension_key_share ssl_extension_server_name
 ##    ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_psk_key_exchange_modes%(c: connection, is_client: bool, modes: index_vec%);
 
+## Generated for an DTLS Connection ID extension. This TLS extension is defined
+## in the RFC 9146 and sent by the client or the server to signify that Connection IDs should
+## be used for the connection.
+##
+## c: The connection.
+##
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
+##
+## cid: The connection ID given by the client or the server.
+##
+## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_key_share ssl_extension_server_name
+##    ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+event ssl_extension_connection_id%(c: connection, is_client: bool, cid: string%);
+
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Zeek extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
@@ -577,6 +609,12 @@ event ssl_plaintext_data%(c: connection, is_client: bool, record_version: count,
 ## Note that :zeek:id:`SSL::disable_analyzer_after_detection` has to be changed
 ## from its default to false for this event to be generated.
 ##
+## Also note that, for DTLS 1.3, it is not always possible to give an exact length for
+## the payload that is transported in the packet. If connection IDs are used, the length
+## provided is the length of the entire packet, without the first byte (for the unified header).
+## If no connection IDs are used, the length given is the actual payload length. Connection IDs
+## are used with the connection ID extension in the client or server hello.
+##
 ## c: The connection.
 ##
 ## is_client: True if event is raised for the client side of the connection
@@ -589,10 +627,11 @@ event ssl_plaintext_data%(c: connection, is_client: bool, record_version: count,
 ## content_type: message type as reported by TLS session layer. Not populated for
 ##               SSLv2.
 ##
-## length: length of the entire message.
+## length: length of the encrypted payload in the record.
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
+##    ssl_extension_connection_id
 event ssl_encrypted_data%(c: connection, is_client: bool, record_version: count, content_type: count, length: count%);
 
 ## This event is generated for application data records of TLS 1.3 connections of which
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 072c7d5de6..ae9930f1a6 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -77,6 +77,7 @@ function version_ok(vers : uint16) : bool
 	case TLSv13:
 	case DTLSv10:
 	case DTLSv12:
+	case DTLSv13:
 		return true;
 
 	default:
@@ -121,7 +122,8 @@ enum SSLVersions {
 
 	DTLSv10   = 0xFEFF,
 	# DTLSv11 does not exist.
-	DTLSv12   = 0xFEFD
+	DTLSv12   = 0xFEFD,
+	DTLSv13   = 0xFEFC
 };
 
 enum SSLExtensions {
@@ -155,6 +157,7 @@ enum SSLExtensions {
 	EXT_CERTIFICATE_AUTHORITIES = 47,
 	EXT_OID_FILTERS = 48,
 	EXT_KEY_SHARE = 51,
+	EXT_CONNECTION_ID = 54,
 	EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
 	EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
 	EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index ce19a4b2a9..251047dec6 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -670,6 +670,17 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
+	function proc_connection_id(rec: HandshakeRecord, cid: bytestring) : bool
+		%{
+		if ( ! ssl_extension_connection_id )
+			return true;
+
+		auto cid_string = zeek::make_intrusive<zeek::StringVal>(cid.length(), (const char*) cid.data());
+		zeek::BifEvent::enqueue_ssl_extension_connection_id(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(cid_string));
+
+		return true;
+		%}
+
 };
 
 refine typeattr ClientHello += &let {
@@ -802,3 +813,7 @@ refine typeattr SignedCertificateTimestamp += &let {
 refine typeattr CertificateRequest += &let {
 	proc: bool = $context.connection.proc_certificate_request(rec, this);
 };
+
+refine typeattr ConnectionId += &let {
+	proc: bool = $context.connection.proc_connection_id(rec, cid);
+};
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 2aa6b6a45e..014afa7490 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -811,12 +811,18 @@ type SSLExtension(rec: HandshakeRecord) = record {
 		EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
 		EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
 		EXT_PRE_SHARED_KEY -> pre_shared_key: PreSharedKey(rec)[] &until($element == 0 || $element != 0);
+		EXT_CONNECTION_ID -> connection_id: ConnectionId(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};
 } &length=data_len+4 &exportsourcedata;
 
 %include tls-handshake-signed_certificate_timestamp.pac
 
+type ConnectionId(rec: HandshakeRecord) = record {
+	length: uint8;
+	cid: bytestring &length=length;
+};
+
 type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case ( rec.is_orig ^ $context.connection.flipped() ) of {
 	true -> a: SupportedVersions(rec);
 	false -> b: OneSupportedVersion(rec);
diff --git a/src/analyzer/protocol/syslog/CMakeLists.txt b/src/analyzer/protocol/syslog/CMakeLists.txt
index c80aefeb32..57c78fdf92 100644
--- a/src/analyzer/protocol/syslog/CMakeLists.txt
+++ b/src/analyzer/protocol/syslog/CMakeLists.txt
@@ -1,9 +1,8 @@
 spicy_add_analyzer(
-  NAME
+    NAME
     Syslog
-  SOURCES
+    SOURCES
     syslog.spicy
     syslog.evt
-  LEGACY
-    legacy
-)
+    LEGACY
+    legacy)
diff --git a/src/analyzer/protocol/syslog/legacy/CMakeLists.txt b/src/analyzer/protocol/syslog/legacy/CMakeLists.txt
index 472344a519..ef2f7330d5 100644
--- a/src/analyzer/protocol/syslog/legacy/CMakeLists.txt
+++ b/src/analyzer/protocol/syslog/legacy/CMakeLists.txt
@@ -2,12 +2,11 @@ zeek_add_plugin(
     Zeek
     Syslog
     SOURCES
-        Syslog.cc
-        Plugin.cc
+    Syslog.cc
+    Plugin.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        syslog.pac
-        syslog-analyzer.pac
-        syslog-protocol.pac
-)
+    syslog.pac
+    syslog-analyzer.pac
+    syslog-protocol.pac)
diff --git a/src/analyzer/protocol/tcp/CMakeLists.txt b/src/analyzer/protocol/tcp/CMakeLists.txt
index 613fdc2249..42e41c9dac 100644
--- a/src/analyzer/protocol/tcp/CMakeLists.txt
+++ b/src/analyzer/protocol/tcp/CMakeLists.txt
@@ -2,13 +2,12 @@ zeek_add_plugin(
     Zeek
     TCP
     SOURCES
-        TCP.cc
-        TCP_Endpoint.cc
-        TCP_Reassembler.cc
-        ContentLine.cc
-        Plugin.cc
+    TCP.cc
+    TCP_Endpoint.cc
+    TCP_Reassembler.cc
+    ContentLine.cc
+    Plugin.cc
     BIFS
-        events.bif
-        types.bif
-        functions.bif
-)
+    events.bif
+    types.bif
+    functions.bif)
diff --git a/src/analyzer/protocol/xmpp/CMakeLists.txt b/src/analyzer/protocol/xmpp/CMakeLists.txt
index aa3b8336a6..3ea127d691 100644
--- a/src/analyzer/protocol/xmpp/CMakeLists.txt
+++ b/src/analyzer/protocol/xmpp/CMakeLists.txt
@@ -2,12 +2,11 @@ zeek_add_plugin(
     Zeek
     XMPP
     SOURCES
-        Plugin.cc
-        XMPP.cc
+    Plugin.cc
+    XMPP.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        xmpp.pac
-        xmpp-analyzer.pac
-        xmpp-protocol.pac
-)
+    xmpp.pac
+    xmpp-analyzer.pac
+    xmpp-protocol.pac)
diff --git a/src/analyzer/protocol/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt
index d51057c15d..e7c11ccdbb 100644
--- a/src/analyzer/protocol/zip/CMakeLists.txt
+++ b/src/analyzer/protocol/zip/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    Zeek
-    ZIP
-    SOURCES
-        ZIP.cc
-        Plugin.cc
-)
+zeek_add_plugin(Zeek ZIP SOURCES ZIP.cc Plugin.cc)
diff --git a/src/broker/CMakeLists.txt b/src/broker/CMakeLists.txt
index e2e54b288d..472f67e11d 100644
--- a/src/broker/CMakeLists.txt
+++ b/src/broker/CMakeLists.txt
@@ -1,13 +1,14 @@
 zeek_add_subdir_library(
     comm
-    INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}
+    INCLUDE_DIRS
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_BINARY_DIR}
     SOURCES
-        Data.cc
-        Manager.cc
-        Store.cc
+    Data.cc
+    Manager.cc
+    Store.cc
     BIFS
-        comm.bif
-        data.bif
-        messaging.bif
-        store.bif
-)
+    comm.bif
+    data.bif
+    messaging.bif
+    store.bif)
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index fda653364c..0c47096c34 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -643,7 +643,7 @@ std::string Manager::NodeID() const
 	return to_string(bstate->endpoint.node_id());
 	}
 
-bool Manager::PublishEvent(string topic, std::string name, broker::vector args)
+bool Manager::PublishEvent(string topic, std::string name, broker::vector args, double ts)
 	{
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
@@ -652,7 +652,7 @@ bool Manager::PublishEvent(string topic, std::string name, broker::vector args)
 		return true;
 
 	DBG_LOG(DBG_BROKER, "Publishing event: %s", RenderEvent(topic, name, args).c_str());
-	broker::zeek::Event ev(std::move(name), std::move(args));
+	broker::zeek::Event ev(std::move(name), std::move(args), broker::to_timestamp(ts));
 	bstate->endpoint.publish(std::move(topic), ev.move_data());
 	++statistics.num_events_outgoing;
 	return true;
@@ -681,7 +681,10 @@ bool Manager::PublishEvent(string topic, RecordVal* args)
 		xs.emplace_back(data_val->data);
 		}
 
-	return PublishEvent(std::move(topic), event_name, std::move(xs));
+	// At this point we come from script-land. This means that publishing of the event was
+	// explicitly triggered. Hence, the timestamp is set to the current network time. This also
+	// means that timestamping cannot be manipulated from script-land for now.
+	return PublishEvent(std::move(topic), event_name, std::move(xs), run_state::network_time);
 	}
 
 bool Manager::PublishIdentifier(std::string topic, std::string id)
@@ -1386,8 +1389,15 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::zeek::Event ev)
 
 	auto name = std::move(ev.name());
 	auto args = std::move(ev.args());
+	double ts;
 
-	DBG_LOG(DBG_BROKER, "Process event: %s %s", name.data(), RenderMessage(args).data());
+	if ( auto ev_ts = ev.ts() )
+		broker::convert(*ev_ts, ts);
+	else
+		// Default to current network time, if the received event did not contain a timestamp.
+		ts = run_state::network_time;
+
+	DBG_LOG(DBG_BROKER, "Process event: %s (%.6f) %s", name.data(), ts, RenderMessage(args).data());
 	++statistics.num_events_incoming;
 	auto handler = event_registry->Lookup(name);
 
@@ -1469,7 +1479,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::zeek::Event ev)
 		}
 
 	if ( vl.size() == args.size() )
-		event_mgr.Enqueue(handler, std::move(vl), util::detail::SOURCE_BROKER);
+		event_mgr.Enqueue(handler, std::move(vl), util::detail::SOURCE_BROKER, 0, nullptr, ts);
 	}
 
 bool Manager::ProcessLogCreate(broker::zeek::LogCreate lc)
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 6e514990cb..eb3d050b9b 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -183,9 +183,11 @@ public:
 	 * of this topic name.
 	 * @param name the name of the event
 	 * @param args the event's arguments
+	 * @param ts the timestamp the event is intended to be executed
 	 * @return true if the message is sent successfully.
 	 */
-	bool PublishEvent(std::string topic, std::string name, broker::vector args);
+	bool PublishEvent(std::string topic, std::string name, broker::vector args,
+	                  double ts = run_state::network_time);
 
 	/**
 	 * Send an event to any interested peers.
@@ -193,7 +195,8 @@ public:
 	 * Peers advertise interest by registering a subscription to some prefix
 	 * of this topic name.
 	 * @param ev the event and its arguments to send to peers, in the form of
-	 * a Broker::Event record type.
+	 * a Broker::Event record type. The timestamp for the event is set to the
+	 * current network time.
 	 * @return true if the message is sent successfully.
 	 */
 	bool PublishEvent(std::string topic, RecordVal* ev);
diff --git a/src/file_analysis/CMakeLists.txt b/src/file_analysis/CMakeLists.txt
index 80d842e8fc..7920c40f36 100644
--- a/src/file_analysis/CMakeLists.txt
+++ b/src/file_analysis/CMakeLists.txt
@@ -1,16 +1,17 @@
 zeek_add_subdir_library(
     file_analysis
-    INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}
+    INCLUDE_DIRS
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_BINARY_DIR}
     SOURCES
-        Manager.cc
-        File.cc
-        FileTimer.cc
-        FileReassembler.cc
-        Analyzer.cc
-        AnalyzerSet.cc
-        Component.cc
+    Manager.cc
+    File.cc
+    FileTimer.cc
+    FileReassembler.cc
+    Analyzer.cc
+    AnalyzerSet.cc
+    Component.cc
     BIFS
-        file_analysis.bif
-)
+    file_analysis.bif)
 
 add_subdirectory(analyzer)
diff --git a/src/file_analysis/analyzer/data_event/CMakeLists.txt b/src/file_analysis/analyzer/data_event/CMakeLists.txt
index e8eda489f0..eb8042dd77 100644
--- a/src/file_analysis/analyzer/data_event/CMakeLists.txt
+++ b/src/file_analysis/analyzer/data_event/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     FileDataEvent
     SOURCES
-        DataEvent.cc
-        Plugin.cc
+    DataEvent.cc
+    Plugin.cc
     INCLUDE_DIRS
-        "${CMAKE_CURRENT_SOURCE_DIR}"
-)
+    "${CMAKE_CURRENT_SOURCE_DIR}")
diff --git a/src/file_analysis/analyzer/entropy/CMakeLists.txt b/src/file_analysis/analyzer/entropy/CMakeLists.txt
index 6608822199..944cf64a3c 100644
--- a/src/file_analysis/analyzer/entropy/CMakeLists.txt
+++ b/src/file_analysis/analyzer/entropy/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     FileEntropy
     SOURCES
-        Entropy.cc
-        Plugin.cc
+    Entropy.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/file_analysis/analyzer/extract/CMakeLists.txt b/src/file_analysis/analyzer/extract/CMakeLists.txt
index 38ce0fd4db..0c08872172 100644
--- a/src/file_analysis/analyzer/extract/CMakeLists.txt
+++ b/src/file_analysis/analyzer/extract/CMakeLists.txt
@@ -2,9 +2,8 @@ zeek_add_plugin(
     Zeek
     FileExtract
     SOURCES
-        Extract.cc
-        Plugin.cc
+    Extract.cc
+    Plugin.cc
     BIFS
-        events.bif
-        functions.bif
-)
+    events.bif
+    functions.bif)
diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc
index 77a696daf3..e6805b867a 100644
--- a/src/file_analysis/analyzer/extract/Extract.cc
+++ b/src/file_analysis/analyzer/extract/Extract.cc
@@ -23,7 +23,7 @@ Extract::Extract(RecordValPtr args, file_analysis::File* file, const std::string
 	if ( file_stream )
 		{
 		// Try to ensure full buffering.
-		if ( setvbuf(file_stream, nullptr, _IOFBF, BUFSIZ) )
+		if ( util::detail::setvbuf(file_stream, nullptr, _IOFBF, BUFSIZ) )
 			{
 			util::zeek_strerror_r(errno, buf, sizeof(buf));
 			reporter->Warning("cannot set buffering mode for %s: %s", filename.data(), buf);
diff --git a/src/file_analysis/analyzer/hash/CMakeLists.txt b/src/file_analysis/analyzer/hash/CMakeLists.txt
index fc1fcf50de..adfd96007f 100644
--- a/src/file_analysis/analyzer/hash/CMakeLists.txt
+++ b/src/file_analysis/analyzer/hash/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     FileHash
     SOURCES
-        Hash.cc
-        Plugin.cc
+    Hash.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/file_analysis/analyzer/pe/CMakeLists.txt b/src/file_analysis/analyzer/pe/CMakeLists.txt
index dd8000f1eb..ff98b004db 100644
--- a/src/file_analysis/analyzer/pe/CMakeLists.txt
+++ b/src/file_analysis/analyzer/pe/CMakeLists.txt
@@ -2,15 +2,14 @@ zeek_add_plugin(
     Zeek
     PE
     SOURCES
-        PE.cc
-        Plugin.cc
+    PE.cc
+    Plugin.cc
     BIFS
-        events.bif
+    events.bif
     PAC
-        pe.pac
-        pe-analyzer.pac
-        pe-file-headers.pac
-        pe-file-idata.pac
-        pe-file.pac
-        pe-file-types.pac
-)
+    pe.pac
+    pe-analyzer.pac
+    pe-file-headers.pac
+    pe-file-idata.pac
+    pe-file.pac
+    pe-file-types.pac)
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index dbd93f0d3a..7f9541df0d 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -2,16 +2,15 @@ zeek_add_plugin(
     Zeek
     X509
     SOURCES
-        X509Common.cc
-        X509.cc
-        OCSP.cc
-        Plugin.cc
+    X509Common.cc
+    X509.cc
+    OCSP.cc
+    Plugin.cc
     BIFS
-        events.bif
-        types.bif
-        functions.bif
-        ocsp_events.bif
+    events.bif
+    types.bif
+    functions.bif
+    ocsp_events.bif
     PAC
-        x509-extension.pac
-        x509-signed_certificate_timestamp.pac
-)
+    x509-extension.pac
+    x509-signed_certificate_timestamp.pac)
diff --git a/src/fuzzers/CMakeLists.txt b/src/fuzzers/CMakeLists.txt
index a7bef79ecb..5bf6e7b5eb 100644
--- a/src/fuzzers/CMakeLists.txt
+++ b/src/fuzzers/CMakeLists.txt
@@ -1,18 +1,18 @@
-########################################################################
-## Fuzzing targets
+# ##############################################################################
+# Fuzzing targets
 
-if ( NOT ZEEK_ENABLE_FUZZERS )
+if (NOT ZEEK_ENABLE_FUZZERS)
     return()
 endif ()
 
-if ( NOT DEFINED ZEEK_FUZZING_ENGINE AND DEFINED ENV{LIB_FUZZING_ENGINE} )
-    if ( "$ENV{LIB_FUZZING_ENGINE}" STREQUAL "" )
+if (NOT DEFINED ZEEK_FUZZING_ENGINE AND DEFINED ENV{LIB_FUZZING_ENGINE})
+    if ("$ENV{LIB_FUZZING_ENGINE}" STREQUAL "")
         # Empty LIB_FUZZING_ENGINE, assume libFuzzer
         set(ZEEK_FUZZING_ENGINE "-fsanitize=fuzzer" CACHE INTERNAL "" FORCE)
     else ()
-        STRING(SUBSTRING "$ENV{LIB_FUZZING_ENGINE}" 0 1 _first_char)
+        string(SUBSTRING "$ENV{LIB_FUZZING_ENGINE}" 0 1 _first_char)
 
-        if ( "${_first_char}" STREQUAL "-" OR EXISTS "$ENV{LIB_FUZZING_ENGINE}" )
+        if ("${_first_char}" STREQUAL "-" OR EXISTS "$ENV{LIB_FUZZING_ENGINE}")
             # Looks like a linker flag or valid file, use it
             set(ZEEK_FUZZING_ENGINE "$ENV{LIB_FUZZING_ENGINE}" CACHE INTERNAL "" FORCE)
         else ()
@@ -23,37 +23,36 @@ if ( NOT DEFINED ZEEK_FUZZING_ENGINE AND DEFINED ENV{LIB_FUZZING_ENGINE} )
 endif ()
 
 # The bind library is handled a bit hack-ishly since it defaults to linking it
-# as static library by default on Linux, but at least on one common distro,
-# that static library wasn't compiled with -fPIC and so not usable in the
-# shared library we're trying to build.  So instead, the fuzzer executable, not
-# the shared lib, links it.
+# as static library by default on Linux, but at least on one common distro, that
+# static library wasn't compiled with -fPIC and so not usable in the shared
+# library we're trying to build.  So instead, the fuzzer executable, not the
+# shared lib, links it.
 string(REGEX MATCH ".*\\.a$" _have_static_bind_lib "${BIND_LIBRARY}")
 
-macro(SETUP_FUZZ_TARGET _fuzz_target _fuzz_source)
+macro (SETUP_FUZZ_TARGET _fuzz_target _fuzz_source)
     add_executable(${_fuzz_target} ${_fuzz_source} ${ARGN})
     target_link_libraries(${_fuzz_target} zeek_fuzzer_shared)
 
-    if ( _have_static_bind_lib )
+    if (_have_static_bind_lib)
         target_link_libraries(${_fuzz_target} ${BIND_LIBRARY})
     endif ()
 
     target_link_libraries(${_fuzz_target} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
 
-    if ( DEFINED ZEEK_FUZZING_ENGINE )
+    if (DEFINED ZEEK_FUZZING_ENGINE)
         target_link_libraries(${_fuzz_target} ${ZEEK_FUZZING_ENGINE})
     else ()
-        target_link_libraries(${_fuzz_target}
-                              $<TARGET_OBJECTS:zeek_fuzzer_standalone>)
+        target_link_libraries(${_fuzz_target} $<TARGET_OBJECTS:zeek_fuzzer_standalone>)
     endif ()
-endmacro()
+endmacro ()
 
-macro(ADD_FUZZ_TARGET _name)
+macro (ADD_FUZZ_TARGET _name)
     set(_fuzz_target zeek-${_name}-fuzzer)
     set(_fuzz_source ${_name}-fuzzer.cc)
     setup_fuzz_target(${_fuzz_target} ${_fuzz_source})
 endmacro ()
 
-macro(ADD_GENERIC_ANALYZER_FUZZ_TARGET _name)
+macro (ADD_GENERIC_ANALYZER_FUZZ_TARGET _name)
     set(_fuzz_target zeek-${_name}-fuzzer)
     set(_fuzz_source generic-analyzer-fuzzer.cc)
     setup_fuzz_target(${_fuzz_target} ${_fuzz_source})
@@ -68,9 +67,9 @@ target_sources(zeek_fuzzer_shared PRIVATE FuzzBuffer.cc)
 
 set(zeek_fuzzer_shared_deps)
 
-foreach(_dep ${zeekdeps} )
-    if ( "${_dep}" STREQUAL "${BIND_LIBRARY}" )
-        if ( NOT _have_static_bind_lib )
+foreach (_dep ${zeekdeps})
+    if ("${_dep}" STREQUAL "${BIND_LIBRARY}")
+        if (NOT _have_static_bind_lib)
             set(zeek_fuzzer_shared_deps ${zeek_fuzzer_shared_deps} ${_dep})
         endif ()
     else ()
@@ -78,9 +77,8 @@ foreach(_dep ${zeekdeps} )
     endif ()
 endforeach ()
 
-target_link_libraries(zeek_fuzzer_shared PUBLIC
-                      ${zeek_fuzzer_shared_deps}
-                      ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
+target_link_libraries(zeek_fuzzer_shared PUBLIC ${zeek_fuzzer_shared_deps}
+                                                ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
 
 add_fuzz_target(packet)
 add_fuzz_target(dns)
@@ -104,26 +102,27 @@ add_generic_analyzer_fuzz_target(radius)
 add_generic_analyzer_fuzz_target(rdp)
 add_generic_analyzer_fuzz_target(rdpeudp)
 add_generic_analyzer_fuzz_target(rfb)
-add_generic_analyzer_fuzz_target(mount)      #rpc
-add_generic_analyzer_fuzz_target(nfs)        #rpc
-add_generic_analyzer_fuzz_target(portmapper) #rpc
+add_generic_analyzer_fuzz_target(mount) # rpc
+add_generic_analyzer_fuzz_target(nfs) # rpc
+add_generic_analyzer_fuzz_target(portmapper) # rpc
 add_generic_analyzer_fuzz_target(sip)
 add_generic_analyzer_fuzz_target(smb)
 add_generic_analyzer_fuzz_target(snmp)
 add_generic_analyzer_fuzz_target(ssh)
 add_generic_analyzer_fuzz_target(syslog)
 
-#add_generic_analyzer_fuzz_target(finger)  # no pcap files
-#add_generic_analyzer_fuzz_target(gssapi)  # only samples are embedded in smb
-#add_generic_analyzer_fuzz_target(ident)   # no pcap files
-#add_generic_analyzer_fuzz_target(krb)     # should these just be handled by smb?
-#add_generic_analyzer_fuzz_target(krb_tcp) # should these just be handled by smb?
-#add_generic_analyzer_fuzz_target(rsh)     # login - no pcap files
-#add_generic_analyzer_fuzz_target(rlogin)  # login - no pcap files
-#add_generic_analyzer_fuzz_target(telnet)  # login - no pcap files
-#add_generic_analyzer_fuzz_target(netbios) # no pcap files
-#add_generic_analyzer_fuzz_target(ntlm)    # only samples are embedded in dce-rpc or smb
-#add_generic_analyzer_fuzz_target(xdr)     # rpc - no pcap files
-#add_generic_analyzer_fuzz_target(sip_tcp) # unnecessary?
-#add_generic_analyzer_fuzz_target(socks)   # can this one be tested by adding SOCKS pkts to the HTTP corpus?
-#add_generic_analyzer_fuzz_target(xmpp)    # no pcap files
+# add_generic_analyzer_fuzz_target(finger)  # no pcap files
+# add_generic_analyzer_fuzz_target(gssapi)  # only samples are embedded in smb
+# add_generic_analyzer_fuzz_target(ident)   # no pcap files
+# add_generic_analyzer_fuzz_target(krb)     # should these just be handled by
+# smb? add_generic_analyzer_fuzz_target(krb_tcp) # should these just be handled
+# by smb? add_generic_analyzer_fuzz_target(rsh)     # login - no pcap files
+# add_generic_analyzer_fuzz_target(rlogin)  # login - no pcap files
+# add_generic_analyzer_fuzz_target(telnet)  # login - no pcap files
+# add_generic_analyzer_fuzz_target(netbios) # no pcap files
+# add_generic_analyzer_fuzz_target(ntlm)    # only samples are embedded in
+# dce-rpc or smb add_generic_analyzer_fuzz_target(xdr)     # rpc - no pcap files
+# add_generic_analyzer_fuzz_target(sip_tcp) # unnecessary?
+# add_generic_analyzer_fuzz_target(socks)   # can this one be tested by adding
+# SOCKS pkts to the HTTP corpus? add_generic_analyzer_fuzz_target(xmpp)    # no
+# pcap files
diff --git a/src/fuzzers/fuzzer-setup.h b/src/fuzzers/fuzzer-setup.h
index 7a3ca8343f..56fd04cec6 100644
--- a/src/fuzzers/fuzzer-setup.h
+++ b/src/fuzzers/fuzzer-setup.h
@@ -5,6 +5,7 @@
 
 #include "zeek/Event.h"
 #include "zeek/EventRegistry.h"
+#include "zeek/Options.h"
 #include "zeek/broker/Manager.h"
 #include "zeek/file_analysis/Manager.h"
 #include "zeek/session/Manager.h"
@@ -39,6 +40,7 @@ extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
 	options.deterministic_mode = true;
 	options.ignore_checksums = true;
 	options.abort_on_scripting_errors = true;
+	options.dns_mode = zeek::detail::DNS_MgrMode::DNS_FAKE;
 
 	if ( zeek::detail::setup(*argc, *argv, &options).code )
 		abort();
diff --git a/src/input/CMakeLists.txt b/src/input/CMakeLists.txt
index 45c2c2cf58..72fb6acd62 100644
--- a/src/input/CMakeLists.txt
+++ b/src/input/CMakeLists.txt
@@ -1,12 +1,11 @@
 zeek_add_subdir_library(
     input
     SOURCES
-        Component.cc
-        Manager.cc
-        ReaderBackend.cc
-        ReaderFrontend.cc
+    Component.cc
+    Manager.cc
+    ReaderBackend.cc
+    ReaderFrontend.cc
     BIFS
-        input.bif
-)
+    input.bif)
 
 add_subdirectory(readers)
diff --git a/src/input/readers/CMakeLists.txt b/src/input/readers/CMakeLists.txt
index 032a286052..673424e1c2 100644
--- a/src/input/readers/CMakeLists.txt
+++ b/src/input/readers/CMakeLists.txt
@@ -1,4 +1,3 @@
-
 add_subdirectory(ascii)
 add_subdirectory(benchmark)
 add_subdirectory(binary)
@@ -6,4 +5,4 @@ add_subdirectory(config)
 add_subdirectory(raw)
 if (USE_SQLITE)
     add_subdirectory(sqlite)
-endif()
+endif ()
diff --git a/src/input/readers/ascii/CMakeLists.txt b/src/input/readers/ascii/CMakeLists.txt
index 2a4d81ba2f..fc2aa5645e 100644
--- a/src/input/readers/ascii/CMakeLists.txt
+++ b/src/input/readers/ascii/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     AsciiReader
     SOURCES
-        Ascii.cc
-        Plugin.cc
+    Ascii.cc
+    Plugin.cc
     BIFS
-        ascii.bif
-)
+    ascii.bif)
diff --git a/src/input/readers/benchmark/CMakeLists.txt b/src/input/readers/benchmark/CMakeLists.txt
index f40091e955..25a4bdce82 100644
--- a/src/input/readers/benchmark/CMakeLists.txt
+++ b/src/input/readers/benchmark/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     BenchmarkReader
     SOURCES
-        Benchmark.cc
-        Plugin.cc
+    Benchmark.cc
+    Plugin.cc
     BIFS
-        benchmark.bif
-)
+    benchmark.bif)
diff --git a/src/input/readers/binary/CMakeLists.txt b/src/input/readers/binary/CMakeLists.txt
index 83ddb18bc6..0025bec76f 100644
--- a/src/input/readers/binary/CMakeLists.txt
+++ b/src/input/readers/binary/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     BinaryReader
     SOURCES
-        Binary.cc
-        Plugin.cc
+    Binary.cc
+    Plugin.cc
     BIFS
-        binary.bif
-)
+    binary.bif)
diff --git a/src/input/readers/config/CMakeLists.txt b/src/input/readers/config/CMakeLists.txt
index dfe3005a23..aaafc14e6e 100644
--- a/src/input/readers/config/CMakeLists.txt
+++ b/src/input/readers/config/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     ConfigReader
     SOURCES
-        Config.cc
-        Plugin.cc
+    Config.cc
+    Plugin.cc
     BIFS
-        config.bif
-)
+    config.bif)
diff --git a/src/input/readers/raw/CMakeLists.txt b/src/input/readers/raw/CMakeLists.txt
index 6efeb00637..9d70b4c4c8 100644
--- a/src/input/readers/raw/CMakeLists.txt
+++ b/src/input/readers/raw/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     RawReader
     SOURCES
-        Raw.cc
-        Plugin.cc
+    Raw.cc
+    Plugin.cc
     BIFS
-        raw.bif
-)
+    raw.bif)
diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc
index a820ed0619..277d64577f 100644
--- a/src/input/readers/raw/Raw.cc
+++ b/src/input/readers/raw/Raw.cc
@@ -291,7 +291,7 @@ bool Raw::OpenInput()
 			return false;
 			}
 
-		if ( Info().mode == MODE_STREAM )
+		if ( Info().mode == MODE_STREAM || Info().mode == MODE_REREAD )
 			{
 			struct stat sb;
 			if ( fstat(fileno(file.get()), &sb) == -1 )
@@ -300,6 +300,8 @@ bool Raw::OpenInput()
 				Error(Fmt("Could not get fstat for %s", fname.c_str()));
 				return false;
 				}
+
+			mtime = sb.st_mtime;
 			ino = sb.st_ino;
 			dev = sb.st_dev;
 			}
@@ -587,7 +589,7 @@ bool Raw::DoUpdate()
 					return false;
 					}
 
-				if ( sb.st_ino == ino && sb.st_mtime == mtime )
+				if ( sb.st_dev == dev && sb.st_ino == ino && sb.st_mtime == mtime )
 					// no change
 					return true;
 
diff --git a/src/input/readers/sqlite/CMakeLists.txt b/src/input/readers/sqlite/CMakeLists.txt
index 7d38b66baa..bb8bd4159c 100644
--- a/src/input/readers/sqlite/CMakeLists.txt
+++ b/src/input/readers/sqlite/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     SQLiteReader
     SOURCES
-        SQLite.cc
-        Plugin.cc
+    SQLite.cc
+    Plugin.cc
     BIFS
-        sqlite.bif
-)
+    sqlite.bif)
diff --git a/src/iosource/CMakeLists.txt b/src/iosource/CMakeLists.txt
index 73a433ece4..63881464a5 100644
--- a/src/iosource/CMakeLists.txt
+++ b/src/iosource/CMakeLists.txt
@@ -1,12 +1,11 @@
 zeek_add_subdir_library(
     iosource
     SOURCES
-        BPF_Program.cc
-        Component.cc
-        Manager.cc
-        Packet.cc
-        PktDumper.cc
-        PktSrc.cc
-)
+    BPF_Program.cc
+    Component.cc
+    Manager.cc
+    Packet.cc
+    PktDumper.cc
+    PktSrc.cc)
 
 add_subdirectory(pcap)
diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index e9edcab241..cd3aa4fb5d 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -67,7 +67,7 @@ void Packet::Init(int arg_link_type, pkt_timeval* arg_ts, uint32_t arg_caplen, u
 	ip_hdr.reset();
 
 	proto = -1;
-	tunnel_type = BifEnum::Tunnel::IP;
+	tunnel_type = BifEnum::Tunnel::NONE;
 	gre_version = -1;
 	gre_link_type = DLT_RAW;
 
@@ -117,8 +117,18 @@ RecordValPtr Packet::ToRawPktHdrVal() const
 		// Ethernet header layout is:
 		//    dst[6bytes] src[6bytes] ethertype[2bytes]...
 		l2_hdr->Assign(0, BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_ETHERNET));
-		l2_hdr->Assign(3, FmtEUI48(data + 6)); // src
-		l2_hdr->Assign(4, FmtEUI48(data)); // dst
+
+		// FmtEUI48 needs at least 6 bytes to print out the mac address, plus 6 bytes for
+		// skipping over the destination address.
+		if ( cap_len >= 12 )
+			l2_hdr->Assign(3, FmtEUI48(data + 6)); // src
+		else
+			l2_hdr->Assign(3, "00:00:00:00:00:00");
+
+		if ( cap_len >= 6 )
+			l2_hdr->Assign(4, FmtEUI48(data)); // dst
+		else
+			l2_hdr->Assign(4, "00:00:00:00:00:00");
 
 		if ( vlan )
 			l2_hdr->Assign(5, vlan);
diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h
index 2719047415..bf5c221bd9 100644
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@@ -250,7 +250,7 @@ public:
 	 * the type of tunnel. It is used to pass the tunnel type between the
 	 * packet analyzers during analysis.
 	 */
-	BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::IP;
+	BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::NONE;
 
 	/**
 	 * If the packet contains a GRE tunnel, this field will contain the
diff --git a/src/iosource/pcap/CMakeLists.txt b/src/iosource/pcap/CMakeLists.txt
index f3dd6adc2a..1102815afd 100644
--- a/src/iosource/pcap/CMakeLists.txt
+++ b/src/iosource/pcap/CMakeLists.txt
@@ -1,11 +1,4 @@
-zeek_add_plugin(
-    Zeek
-    Pcap
-    SOURCES
-        Source.cc
-        Dumper.cc
-        Plugin.cc
-)
+zeek_add_plugin(Zeek Pcap SOURCES Source.cc Dumper.cc Plugin.cc)
 
 # Treat BIFs as builtin (alternative mode).
 bif_target(pcap.bif)
diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc
index fd01c19554..c8869a0c7c 100644
--- a/src/iosource/pcap/Source.cc
+++ b/src/iosource/pcap/Source.cc
@@ -4,6 +4,8 @@
 
 #include "zeek/zeek-config.h"
 
+#include "zeek/3rdparty/doctest.h"
+
 #ifdef HAVE_PCAP_INT_H
 #include <pcap-int.h>
 #endif
@@ -326,6 +328,23 @@ bool PcapSource::SetFilter(int index)
 	return true;
 	}
 
+// Given two pcap_stat structures, compute the difference of linked and dropped
+// and add it to the given Stats object.
+static void update_pktsrc_stats(PktSrc::Stats* stats, const struct pcap_stat* now,
+                                const struct pcap_stat* prev)
+	{
+	decltype(now->ps_drop) ps_drop_diff = 0;
+	decltype(now->ps_recv) ps_recv_diff = 0;
+
+	// This is subtraction of unsigned ints: It's not undefined
+	// and results in modulo arithmetic.
+	ps_recv_diff = now->ps_recv - prev->ps_recv;
+	ps_drop_diff = now->ps_drop - prev->ps_drop;
+
+	stats->link += ps_recv_diff;
+	stats->dropped += ps_drop_diff;
+	}
+
 void PcapSource::Statistics(Stats* s)
 	{
 	char errbuf[PCAP_ERRBUF_SIZE];
@@ -344,11 +363,13 @@ void PcapSource::Statistics(Stats* s)
 
 		else
 			{
-			s->dropped = pstat.ps_drop;
-			s->link = pstat.ps_recv;
+			update_pktsrc_stats(&stats, &pstat, &prev_pstat);
+			prev_pstat = pstat;
 			}
 		}
 
+	s->link = stats.link;
+	s->dropped = stats.dropped;
 	s->received = stats.received;
 	s->bytes_received = stats.bytes_received;
 
@@ -376,4 +397,67 @@ iosource::PktSrc* PcapSource::Instantiate(const std::string& path, bool is_live)
 	return new PcapSource(path, is_live);
 	}
 
+TEST_CASE("pcap source update_pktsrc_stats")
+	{
+	PktSrc::Stats stats;
+	struct pcap_stat now = {0};
+	struct pcap_stat prev = {0};
+
+	SUBCASE("all zero")
+		{
+		update_pktsrc_stats(&stats, &now, &prev);
+		CHECK(stats.link == 0);
+		CHECK(stats.dropped == 0);
+		}
+
+	SUBCASE("no overflow")
+		{
+		now.ps_recv = 7;
+		now.ps_drop = 3;
+		update_pktsrc_stats(&stats, &now, &prev);
+		CHECK(stats.link == 7);
+		CHECK(stats.dropped == 3);
+		}
+
+	SUBCASE("no overflow prev")
+		{
+		stats.link = 2;
+		stats.dropped = 1;
+		prev.ps_recv = 2;
+		prev.ps_drop = 1;
+		now.ps_recv = 7;
+		now.ps_drop = 3;
+
+		update_pktsrc_stats(&stats, &now, &prev);
+		CHECK(stats.link == 7);
+		CHECK(stats.dropped == 3);
+		}
+
+	SUBCASE("overflow")
+		{
+		prev.ps_recv = 4294967295;
+		prev.ps_drop = 4294967294;
+		now.ps_recv = 0;
+		now.ps_drop = 1;
+
+		update_pktsrc_stats(&stats, &now, &prev);
+		CHECK(stats.link == 1);
+		CHECK(stats.dropped == 3);
+		}
+
+	SUBCASE("overflow 2")
+		{
+		stats.link = 4294967295;
+		stats.dropped = 4294967294;
+		prev.ps_recv = 4294967295;
+		prev.ps_drop = 4294967294;
+		now.ps_recv = 10;
+		now.ps_drop = 3;
+
+		update_pktsrc_stats(&stats, &now, &prev);
+		CHECK(stats.link == 4294967306); // 2**32 - 1 + 11
+		CHECK(stats.dropped == 4294967299); // 2**32 - 2 + 5
+		}
+	}
+
 	} // namespace zeek::iosource::pcap
diff --git a/src/iosource/pcap/Source.h b/src/iosource/pcap/Source.h
index b02828ae1c..cbff27963a 100644
--- a/src/iosource/pcap/Source.h
+++ b/src/iosource/pcap/Source.h
@@ -43,6 +43,7 @@ private:
 	Stats stats;
 
 	pcap_t* pd;
+	struct pcap_stat prev_pstat = {0};
 	};
 
 	} // namespace zeek::iosource::pcap
diff --git a/src/logging/CMakeLists.txt b/src/logging/CMakeLists.txt
index 581ea0013d..7690998520 100644
--- a/src/logging/CMakeLists.txt
+++ b/src/logging/CMakeLists.txt
@@ -1,12 +1,11 @@
 zeek_add_subdir_library(
     logging
     SOURCES
-        Component.cc
-        Manager.cc
-        WriterBackend.cc
-        WriterFrontend.cc
+    Component.cc
+    Manager.cc
+    WriterBackend.cc
+    WriterFrontend.cc
     BIFS
-        logging.bif
-)
+    logging.bif)
 
 add_subdirectory(writers)
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 6d9955b8e5..e938a3f140 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -91,7 +91,7 @@ struct Manager::Stream
 	Func* policy = nullptr;
 	list<Filter*> filters;
 
-	using WriterPathPair = pair<int, string>;
+	using WriterPathPair = pair<zeek_int_t, string>;
 	using WriterMap = map<WriterPathPair, WriterInfo*>;
 
 	WriterMap writers; // Writers indexed by id/path pair.
diff --git a/src/logging/writers/CMakeLists.txt b/src/logging/writers/CMakeLists.txt
index 3aa507b316..1508535c34 100644
--- a/src/logging/writers/CMakeLists.txt
+++ b/src/logging/writers/CMakeLists.txt
@@ -1,6 +1,5 @@
-
 add_subdirectory(ascii)
 add_subdirectory(none)
 if (USE_SQLITE)
     add_subdirectory(sqlite)
-endif()
+endif ()
diff --git a/src/logging/writers/ascii/CMakeLists.txt b/src/logging/writers/ascii/CMakeLists.txt
index 940b0ff6b0..b76d2f4265 100644
--- a/src/logging/writers/ascii/CMakeLists.txt
+++ b/src/logging/writers/ascii/CMakeLists.txt
@@ -1,9 +1,8 @@
 zeek_add_plugin(
     Zeek
-        AsciiWriter
+    AsciiWriter
     SOURCES
-        Ascii.cc
-        Plugin.cc
+    Ascii.cc
+    Plugin.cc
     BIFS
-        ascii.bif
-)
+    ascii.bif)
diff --git a/src/logging/writers/none/CMakeLists.txt b/src/logging/writers/none/CMakeLists.txt
index 40415927e1..a9466c1ece 100644
--- a/src/logging/writers/none/CMakeLists.txt
+++ b/src/logging/writers/none/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     NoneWriter
     SOURCES
-        None.cc
-        Plugin.cc
+    None.cc
+    Plugin.cc
     BIFS
-        none.bif
-)
+    none.bif)
diff --git a/src/logging/writers/sqlite/CMakeLists.txt b/src/logging/writers/sqlite/CMakeLists.txt
index 7cbda35fc1..735ba8aec1 100644
--- a/src/logging/writers/sqlite/CMakeLists.txt
+++ b/src/logging/writers/sqlite/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     SQLiteWriter
     SOURCES
-        SQLite.cc
-        Plugin.cc
+    SQLite.cc
+    Plugin.cc
     BIFS
-        sqlite.bif
-)
+    sqlite.bif)
diff --git a/src/packet_analysis/CMakeLists.txt b/src/packet_analysis/CMakeLists.txt
index 014cbe2755..f7e5f37491 100644
--- a/src/packet_analysis/CMakeLists.txt
+++ b/src/packet_analysis/CMakeLists.txt
@@ -1,11 +1,12 @@
 zeek_add_subdir_library(
     packet_analysis
-    INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}
+    INCLUDE_DIRS
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_BINARY_DIR}
     SOURCES
-        Analyzer.cc
-        Dispatcher.cc
-        Manager.cc
-        Component.cc
-)
+    Analyzer.cc
+    Dispatcher.cc
+    Manager.cc
+    Component.cc)
 
 add_subdirectory(protocol)
diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt
index 832049c2bd..0e8362e96f 100644
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@@ -14,6 +14,9 @@ add_subdirectory(mpls)
 add_subdirectory(pbb)
 add_subdirectory(linux_sll)
 add_subdirectory(linux_sll2)
+add_subdirectory(llc)
+add_subdirectory(snap)
+add_subdirectory(novell_802_3)
 
 add_subdirectory(arp)
 add_subdirectory(ip)
diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc
index 5d9396c6d0..ef9316a718 100644
--- a/src/packet_analysis/protocol/arp/ARP.cc
+++ b/src/packet_analysis/protocol/arp/ARP.cc
@@ -79,6 +79,11 @@ ARPAnalyzer::ARPAnalyzer() : zeek::packet_analysis::Analyzer("ARP") { }
 #define ARPOP_INVREPLY ARPOP_InREPLY
 #endif
 
+// Windows doesn't define this value.
+#ifndef ARPHRD_IEEE802
+#define ARPHRD_IEEE802 6
+#endif
+
 bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	{
 	packet->l3_proto = L3_ARP;
@@ -110,6 +115,7 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	switch ( ntohs(ah->ar_hrd) )
 		{
 		case ARPHRD_ETHER:
+		case ARPHRD_IEEE802:
 			if ( ah->ar_hln != 6 )
 				{
 				// don't know how to handle the opcode
diff --git a/src/packet_analysis/protocol/arp/CMakeLists.txt b/src/packet_analysis/protocol/arp/CMakeLists.txt
index 28d7533782..0a2a7b73da 100644
--- a/src/packet_analysis/protocol/arp/CMakeLists.txt
+++ b/src/packet_analysis/protocol/arp/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     ARP
     SOURCES
-        ARP.cc
-        Plugin.cc
+    ARP.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/packet_analysis/protocol/ayiya/CMakeLists.txt b/src/packet_analysis/protocol/ayiya/CMakeLists.txt
index 32f24f88d3..9e79abc894 100644
--- a/src/packet_analysis/protocol/ayiya/CMakeLists.txt
+++ b/src/packet_analysis/protocol/ayiya/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    Zeek
-    AYIYA
-    SOURCES
-        AYIYA.cc
-        Plugin.cc
-)
+zeek_add_plugin(Zeek AYIYA SOURCES AYIYA.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/ethernet/CMakeLists.txt b/src/packet_analysis/protocol/ethernet/CMakeLists.txt
index 8ac662c3b7..bd1577b9b2 100644
--- a/src/packet_analysis/protocol/ethernet/CMakeLists.txt
+++ b/src/packet_analysis/protocol/ethernet/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    Ethernet
-    SOURCES
-        Ethernet.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer Ethernet SOURCES Ethernet.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc
index 5ec767e0ce..57023f4814 100644
--- a/src/packet_analysis/protocol/ethernet/Ethernet.cc
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc
@@ -6,15 +6,12 @@
 
 using namespace zeek::packet_analysis::Ethernet;
 
-EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet") { }
-
-void EthernetAnalyzer::Initialize()
+EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet")
 	{
-	Analyzer::Initialize();
-
-	SNAPAnalyzer = LoadAnalyzer("snap_analyzer");
-	NovellRawAnalyzer = LoadAnalyzer("novell_raw_analyzer");
-	LLCAnalyzer = LoadAnalyzer("llc_analyzer");
+	snap_forwarding_key = id::find_val("PacketAnalyzer::ETHERNET::SNAP_FORWARDING_KEY")->AsCount();
+	novell_forwarding_key =
+		id::find_val("PacketAnalyzer::ETHERNET::NOVELL_FORWARDING_KEY")->AsCount();
+	llc_forwarding_key = id::find_val("PacketAnalyzer::ETHERNET::LLC_FORWARDING_KEY")->AsCount();
 	}
 
 bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
@@ -56,31 +53,25 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 	// Other ethernet frame types
 	if ( protocol <= 1500 )
 		{
-		if ( 16 >= len )
+		len -= 14;
+		data += 14;
+
+		if ( len < protocol )
 			{
 			Weird("truncated_ethernet_frame", packet);
 			return false;
 			}
 
 		// Let specialized analyzers take over for non Ethernet II frames.
-		// Note that pdata remains at the start of the ethernet frame.
-
-		AnalyzerPtr eth_analyzer = nullptr;
-
-		if ( data[14] == 0xAA && data[15] == 0xAA )
+		if ( data[0] == 0xAA && data[1] == 0xAA )
 			// IEEE 802.2 SNAP
-			eth_analyzer = SNAPAnalyzer;
-		else if ( data[14] == 0xFF && data[15] == 0xFF )
+			return ForwardPacket(len, data, packet, snap_forwarding_key);
+		else if ( data[0] == 0xFF && data[1] == 0xFF )
 			// Novell raw IEEE 802.3
-			eth_analyzer = NovellRawAnalyzer;
+			return ForwardPacket(len, data, packet, novell_forwarding_key);
 		else
 			// IEEE 802.2 LLC
-			eth_analyzer = LLCAnalyzer;
-
-		if ( eth_analyzer )
-			return eth_analyzer->AnalyzePacket(len, data, packet);
-
-		return true;
+			return ForwardPacket(len, data, packet, llc_forwarding_key);
 		}
 
 	// Undefined (1500 < EtherType < 1536)
diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h
index 998b8a687e..777db32146 100644
--- a/src/packet_analysis/protocol/ethernet/Ethernet.h
+++ b/src/packet_analysis/protocol/ethernet/Ethernet.h
@@ -14,7 +14,6 @@ public:
 	EthernetAnalyzer();
 	~EthernetAnalyzer() override = default;
 
-	void Initialize() override;
 	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
 
 	static zeek::packet_analysis::AnalyzerPtr Instantiate()
@@ -23,9 +22,9 @@ public:
 		}
 
 private:
-	AnalyzerPtr SNAPAnalyzer = nullptr;
-	AnalyzerPtr NovellRawAnalyzer = nullptr;
-	AnalyzerPtr LLCAnalyzer = nullptr;
+	zeek_uint_t snap_forwarding_key = 0;
+	zeek_uint_t novell_forwarding_key = 0;
+	zeek_uint_t llc_forwarding_key = 0;
 	};
 
 	}
diff --git a/src/packet_analysis/protocol/fddi/CMakeLists.txt b/src/packet_analysis/protocol/fddi/CMakeLists.txt
index 40d4c00f90..1d1658a3ea 100644
--- a/src/packet_analysis/protocol/fddi/CMakeLists.txt
+++ b/src/packet_analysis/protocol/fddi/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    FDDI
-    SOURCES
-        FDDI.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer FDDI SOURCES FDDI.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/geneve/CMakeLists.txt b/src/packet_analysis/protocol/geneve/CMakeLists.txt
index c71f7c45f3..dbce4d0442 100644
--- a/src/packet_analysis/protocol/geneve/CMakeLists.txt
+++ b/src/packet_analysis/protocol/geneve/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     Geneve
     SOURCES
-        Geneve.cc
-        Plugin.cc
+    Geneve.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/packet_analysis/protocol/gre/CMakeLists.txt b/src/packet_analysis/protocol/gre/CMakeLists.txt
index c9b88e19b5..ad3585ed78 100644
--- a/src/packet_analysis/protocol/gre/CMakeLists.txt
+++ b/src/packet_analysis/protocol/gre/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    GRE
-    SOURCES
-        GRE.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer GRE SOURCES GRE.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc
index 4eefff20e8..9c1cf311ed 100644
--- a/src/packet_analysis/protocol/gre/GRE.cc
+++ b/src/packet_analysis/protocol/gre/GRE.cc
@@ -67,7 +67,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	unsigned int eth_len = 0;
 	unsigned int gre_len = gre_header_len(flags_ver);
-	unsigned int ppp_len = gre_version == 1 ? 4 : 0;
+	unsigned int pptp_len = gre_version == 1 ? 4 : 0;
 	unsigned int erspan_len = 0;
 
 	if ( gre_version != 0 && gre_version != 1 )
@@ -149,31 +149,27 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				return false;
 				}
 			}
-
-		else if ( proto_typ == 0x8200 )
+		else if ( ((proto_typ & 0x8200) == 0x8200 && (proto_typ & 0x0F) == 0) ||
+		          ((proto_typ & 0x8300) == 0x8300 && (proto_typ & 0x0F) == 0 &&
+		           (proto_typ <= 0x8370)) ||
+		          (proto_typ == 0x9000) )
 			{
-			// ARUBA. Following headers seem like they're always a 26-byte 802.11 QoS header, then
-			// an 8-byte LLC header, then IPv4. There's very little in the way of documentation
-			// for ARUBA's header format. This is all based on the one sample file we have that
-			// contains it.
-			if ( len > gre_len + 34 )
-				{
-				gre_link_type = DLT_EN10MB;
-				erspan_len = 34;
-
-				// TODO: fix this, but it's gonna require quite a bit more surgery to the GRE
-				// analyzer to make it more independent from the IPTunnel analyzer.
-				// Setting gre_version to 1 here tricks the IPTunnel analyzer into treating the
-				// first header as IP instead of Ethernet which it does by default when
-				// gre_version is 0.
-				gre_version = 1;
-				proto = (data[gre_len + 34] & 0xF0) >> 4;
-				}
-			else
+			// ARUBA: Set gre_link_type to IEEE802.11 so the IPTUNNEL analyzer uses
+			// that to instantiate the fake tunnel packet, otherwise it'd be using
+			// DLT_RAW which is not correct for ARUBA.
+			if ( len <= gre_len )
 				{
 				Weird("truncated_GRE", packet);
 				return false;
 				}
+
+			gre_link_type = DLT_IEEE802_11;
+			proto = proto_typ;
+			}
+		else
+			{
+			// Otherwise let the packet analysis forwarding handle it.
+			proto = proto_typ;
 			}
 		}
 
@@ -181,7 +177,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		{
 		if ( proto_typ != 0x880b )
 			{
-			// Enhanced GRE payload must be PPP.
+			// Enhanced GRE payload must be PPTP.
 			Weird("egre_protocol_type", packet, util::fmt("proto=%d", proto_typ));
 			return false;
 			}
@@ -189,9 +185,8 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	if ( flags_ver & 0x4000 )
 		{
-		// RFC 2784 deprecates the variable length routing field
-		// specified by RFC 1701. It could be parsed here, but easiest
-		// to just skip for now.
+		// RFC 2784 deprecates the variable length routing field specified by RFC 1701. It could be
+		// parsed here, but easiest to just skip for now.
 		Weird("gre_routing", packet);
 		return false;
 		}
@@ -203,37 +198,40 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
-	if ( len < gre_len + ppp_len + eth_len + erspan_len )
+	if ( len < gre_len + pptp_len + eth_len + erspan_len )
 		{
 		Weird("truncated_GRE", packet);
 		return false;
 		}
 
-	if ( gre_version == 1 && proto_typ != 0x8200 )
+	// For GRE version 1/PPTP, reset the protocol based on a value from the PPTP header.
+	// TODO: where are these two values defined?
+	if ( gre_version == 1 )
 		{
-		uint16_t ppp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
+		uint16_t pptp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
 
-		if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 )
+		if ( pptp_proto != 0x0021 && pptp_proto != 0x0057 )
 			{
 			Weird("non_ip_packet_in_encap", packet);
 			return false;
 			}
 
-		proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
+		proto = (pptp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
 		}
 
-	data += gre_len + ppp_len + erspan_len;
-	len -= gre_len + ppp_len + erspan_len;
+	data += gre_len + pptp_len + erspan_len;
+	len -= gre_len + pptp_len + erspan_len;
 
-	// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
-	// that GRE header is stripped and only payload packet remains.
-	// The only thing different is the tunnel type enum value to use.
+	// Treat GRE tunnel like IP tunnels, fallthrough to logic below now that GRE header is stripped
+	// and only payload packet remains.  The only thing different is the tunnel type enum value to
+	// use.
 	packet->tunnel_type = BifEnum::Tunnel::GRE;
 	packet->gre_version = gre_version;
 	packet->gre_link_type = gre_link_type;
 	packet->proto = proto;
 
-	ForwardPacket(len, data, packet);
+	// This will default to forwarding into IP Tunnel unless something custom is set up.
+	ForwardPacket(len, data, packet, proto);
 
 	return true;
 	}
diff --git a/src/packet_analysis/protocol/gtpv1/CMakeLists.txt b/src/packet_analysis/protocol/gtpv1/CMakeLists.txt
index 63fb5cf5d0..af1e3b15a8 100644
--- a/src/packet_analysis/protocol/gtpv1/CMakeLists.txt
+++ b/src/packet_analysis/protocol/gtpv1/CMakeLists.txt
@@ -2,13 +2,12 @@ zeek_add_plugin(
     Zeek
     GTPv1
     SOURCES
-        GTPv1.cc
-        Plugin.cc
+    GTPv1.cc
+    Plugin.cc
     BIFS
-        events.bif
-        functions.bif
+    events.bif
+    functions.bif
     PAC
-        gtpv1.pac
-        gtpv1-protocol.pac
-        gtpv1-analyzer.pac
-)
+    gtpv1.pac
+    gtpv1-protocol.pac
+    gtpv1-analyzer.pac)
diff --git a/src/packet_analysis/protocol/icmp/CMakeLists.txt b/src/packet_analysis/protocol/icmp/CMakeLists.txt
index 09cefa1b1b..f1b4f3cee9 100644
--- a/src/packet_analysis/protocol/icmp/CMakeLists.txt
+++ b/src/packet_analysis/protocol/icmp/CMakeLists.txt
@@ -2,9 +2,8 @@ zeek_add_plugin(
     Zeek
     ICMP
     SOURCES
-        ICMP.cc
-        ICMPSessionAdapter.cc
-        Plugin.cc
+    ICMP.cc
+    ICMPSessionAdapter.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/packet_analysis/protocol/ieee802_11/CMakeLists.txt b/src/packet_analysis/protocol/ieee802_11/CMakeLists.txt
index b246a23d74..0c2d46b31c 100644
--- a/src/packet_analysis/protocol/ieee802_11/CMakeLists.txt
+++ b/src/packet_analysis/protocol/ieee802_11/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    IEEE802_11
-    SOURCES
-        IEEE802_11.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer IEEE802_11 SOURCES IEEE802_11.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
index ad1ce796f2..bd9d913f78 100644
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
@@ -17,6 +17,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		}
 
 	u_char fc_80211 = data[0]; // Frame Control field
+	bool is_amsdu = false;
 
 	// Skip non-data frame types (management & control).
 	if ( ! ((fc_80211 >> 2) & 0x02) )
@@ -26,18 +27,27 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 	if ( (fc_80211 >> 4) & 0x04 )
 		return false;
 
-	// 'To DS' and 'From DS' flags set indicate use of the 4th
-	// address field.
+	// 'To DS' and 'From DS' flags set indicate use of the 4th address field.
 	if ( (data[1] & 0x03) == 0x03 )
 		len_80211 += packet->L2_ADDR_LEN;
 
+	if ( len_80211 >= len )
+		{
+		Weird("truncated_802_11_header", packet);
+		return false;
+		}
+
 	// Look for the QoS indicator bit.
 	if ( (fc_80211 >> 4) & 0x08 )
 		{
-		// Skip in case of A-MSDU subframes indicated by QoS
-		// control field.
-		if ( data[len_80211] & 0x80 )
-			return false;
+		// Store off whether this is an A-MSDU header, which indicates that there are
+		// mulitple packets following the 802.11 header.
+		is_amsdu = (data[len_80211] & 0x80) == 0x80;
+
+		// Check for the protected bit. This means the data is encrypted and we can't
+		// do anything with it.
+		if ( data[1] & 0x40 )
+			return true;
 
 		len_80211 += 2;
 		}
@@ -48,8 +58,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 		return false;
 		}
 
-	// Determine link-layer addresses based
-	// on 'To DS' and 'From DS' flags
+	// Determine link-layer addresses based on 'To DS' and 'From DS' flags
 	switch ( data[1] & 0x03 )
 		{
 		case 0x00:
@@ -73,35 +82,101 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
 			break;
 		}
 
-	// skip 802.11 data header
+	// skip the 802.11 data header
 	data += len_80211;
+	len -= len_80211;
 
-	len_80211 += 8;
-	if ( len_80211 >= len )
+	if ( ! is_amsdu )
 		{
-		Weird("truncated_802_11_header", packet);
+		return HandleInnerPacket(len, data, packet);
+		}
+	else
+		{
+		size_t amsdu_padding = 0;
+		size_t encap_index = packet->encap ? packet->encap->Depth() : 0;
+
+		while ( len > 0 )
+			{
+			if ( len < 14 )
+				{
+				Weird("truncated_802_11_amsdu_header", packet);
+				return false;
+				}
+
+			// This is the length of everything after the A-MSDU subframe header.
+			size_t amsdu_len = (data[12] << 8) + data[13];
+			if ( len < amsdu_len )
+				{
+				Weird("truncated_802_11_amsdu_packet", packet);
+				return false;
+				}
+
+			// Skip the A-MSDU subframe header. This should place us at the start of an LLC header.
+			data += 14;
+			len -= 14;
+
+			if ( ! HandleInnerPacket(amsdu_len, data, packet) )
+				{
+				Weird("invalid_802_11_amsdu_inner_packet", packet);
+				return false;
+				}
+
+			data += amsdu_len;
+			len -= amsdu_len;
+
+			// Each A-MSDU subframe is padded by up to 3 bytes to make a multiple of 4. This padding
+			// isn't included in the length field value. The padding also doesn't happen with the
+			// last subframe, so check to see that we can even subtract it. Unfortunately, there
+			// isn't a frame counter in the header so we just have trust that it all works out.
+			amsdu_padding = amsdu_len % 4;
+			if ( len >= amsdu_padding )
+				{
+				data += amsdu_padding;
+				len -= amsdu_padding;
+				}
+
+			// Pop encapsuations back up to the level where we started processing so that the next
+			// subframe gets the same encapsulation stack.
+			if ( packet->encap )
+				{
+				while ( packet->encap->Depth() > encap_index )
+					packet->encap->Pop();
+				}
+			}
+
+		return true;
+		}
+	}
+
+bool IEEE802_11Analyzer::HandleInnerPacket(size_t len, const uint8_t* data, Packet* packet) const
+	{
+	// Make sure there's room for an LLC header.
+	if ( len < 8 )
+		{
+		Weird("truncated_802_11_llc_header", packet);
 		return false;
 		}
 
-	// Check that the DSAP and SSAP are both SNAP and that the control
-	// field indicates that this is an unnumbered frame.
-	// The organization code (24bits) needs to also be zero to
-	// indicate that this is encapsulated ethernet.
+	// Check that the DSAP and SSAP are both SNAP and that the control field indicates that this is
+	// an unnumbered frame.  The organization code (24bits) needs to also be zero to indicate that
+	// this is encapsulated ethernet.
 	if ( data[0] == 0xAA && data[1] == 0xAA && data[2] == 0x03 && data[3] == 0 && data[4] == 0 &&
 	     data[5] == 0 )
 		{
 		data += 6;
+		len -= 6;
 		}
 	else
 		{
-		// If this is a logical link control frame without the
-		// possibility of having a protocol we care about, we'll
-		// just skip it for now.
+		// If this is a logical link control frame without the possibility of having a protocol we
+		// care about, we'll just skip it for now.
 		return false;
 		}
 
+	// Get the protocol and skip the rest of the LLC header.
 	uint32_t protocol = (data[0] << 8) + data[1];
 	data += 2;
+	len -= 2;
 
-	return ForwardPacket(len - len_80211, data, packet, protocol);
+	return ForwardPacket(len, data, packet, protocol);
 	}
diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h
index 282c76bbaf..23307c3d27 100644
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h
@@ -20,6 +20,9 @@ public:
 		{
 		return std::make_shared<IEEE802_11Analyzer>();
 		}
+
+private:
+	bool HandleInnerPacket(size_t len, const uint8_t* data, Packet* packet) const;
 	};
 
 	}
diff --git a/src/packet_analysis/protocol/ieee802_11_radio/CMakeLists.txt b/src/packet_analysis/protocol/ieee802_11_radio/CMakeLists.txt
index 2a8b31f1c5..3cfb20083b 100644
--- a/src/packet_analysis/protocol/ieee802_11_radio/CMakeLists.txt
+++ b/src/packet_analysis/protocol/ieee802_11_radio/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    IEEE802_11_Radio
-    SOURCES
-        IEEE802_11_Radio.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer IEEE802_11_Radio SOURCES IEEE802_11_Radio.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/ip/CMakeLists.txt b/src/packet_analysis/protocol/ip/CMakeLists.txt
index 59a26a6d55..05b694c482 100644
--- a/src/packet_analysis/protocol/ip/CMakeLists.txt
+++ b/src/packet_analysis/protocol/ip/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     PacketAnalyzer
     IP
     SOURCES
-        IP.cc
-        IPBasedAnalyzer.cc
-        SessionAdapter.cc
-        Plugin.cc
-)
+    IP.cc
+    IPBasedAnalyzer.cc
+    SessionAdapter.cc
+    Plugin.cc)
diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc
index ec2c6dcdc0..1803122c27 100644
--- a/src/packet_analysis/protocol/ip/IP.cc
+++ b/src/packet_analysis/protocol/ip/IP.cc
@@ -2,6 +2,8 @@
 
 #include "zeek/packet_analysis/protocol/ip/IP.h"
 
+#include <netinet/in.h>
+
 #include "zeek/Discard.h"
 #include "zeek/Event.h"
 #include "zeek/Frag.h"
@@ -91,7 +93,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 	if ( packet->len < total_len + hdr_size )
 		{
-		Weird("truncated_IPv6", packet);
+		Weird("truncated_IP_len", packet);
 		return false;
 		}
 
@@ -203,6 +205,8 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				}
 
 			packet->cap_len = total_len + hdr_size;
+			// Assumes reassembled packet has wire length == capture length.
+			packet->len = packet->cap_len;
 			}
 		}
 
@@ -269,6 +273,11 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
+	// If the next protocol is a tunneled type, set the tunnel_type field in the packet to IP
+	// so that it gets handled correctly.
+	if ( proto == IPPROTO_IPV4 || proto == IPPROTO_IPV6 )
+		packet->tunnel_type = BifEnum::Tunnel::IP;
+
 	switch ( proto )
 		{
 		case IPPROTO_NONE:
diff --git a/src/packet_analysis/protocol/iptunnel/CMakeLists.txt b/src/packet_analysis/protocol/iptunnel/CMakeLists.txt
index 6518d38758..01a680323e 100644
--- a/src/packet_analysis/protocol/iptunnel/CMakeLists.txt
+++ b/src/packet_analysis/protocol/iptunnel/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    IPTunnel
-    SOURCES
-        IPTunnel.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer IPTunnel SOURCES IPTunnel.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
index f1e44b19a4..1bfb69b09d 100644
--- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
+++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
@@ -172,17 +172,29 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, ui
 
 std::unique_ptr<Packet> build_inner_packet(Packet* outer_pkt, int* encap_index,
                                            std::shared_ptr<EncapsulationStack> encap_stack,
-                                           uint32_t len, const u_char* data, int link_type,
-                                           BifEnum::Tunnel::Type tunnel_type,
+                                           uint32_t inner_cap_len, const u_char* data,
+                                           int link_type, BifEnum::Tunnel::Type tunnel_type,
                                            const Tag& analyzer_tag)
 	{
 	auto inner_pkt = std::make_unique<Packet>();
 
+	assert(outer_pkt->cap_len >= inner_cap_len);
+	assert(outer_pkt->len >= outer_pkt->cap_len - inner_cap_len);
+
+	// Compute the wire length of the inner packet based on the wire length of
+	// the outer and the difference in capture lengths. This ensures that for
+	// truncated packets the wire length of the inner packet stays intact. Wire
+	// length may be greater than data available for truncated packets. However,
+	// analyzers do validate lengths found in headers with the wire length
+	// of the packet and keeping it consistent avoids violations.
+	uint32_t consumed_len = outer_pkt->cap_len - inner_cap_len;
+	uint32_t inner_wire_len = outer_pkt->len - consumed_len;
+
 	pkt_timeval ts;
 	ts.tv_sec = static_cast<time_t>(run_state::current_timestamp);
 	ts.tv_usec = static_cast<suseconds_t>(
 		(run_state::current_timestamp - static_cast<double>(ts.tv_sec)) * 1000000);
-	inner_pkt->Init(link_type, &ts, len, len, data);
+	inner_pkt->Init(link_type, &ts, inner_cap_len, inner_wire_len, data);
 
 	*encap_index = 0;
 	if ( outer_pkt->session )
diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.h b/src/packet_analysis/protocol/iptunnel/IPTunnel.h
index cddd981045..9b1fbe35bc 100644
--- a/src/packet_analysis/protocol/iptunnel/IPTunnel.h
+++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.h
@@ -83,13 +83,17 @@ protected:
  * builds a new packet object containing the encapsulated/tunneled packet, as well
  * as adding to the associated encapsulation stack for the tunnel.
  *
+ * The wire length (pkt->len) of the inner packet is computed based on the wire length
+ * of the outer packet and the differences in capture lengths.
+ *
  * @param outer_pkt The packet containing the encapsulation. This packet should contain
  * @param encap_index A return value for the current index into the encapsulation stack.
  * This is returned to allow analyzers to know what point in the stack they were operating
  * on as the packet analysis chain unwinds as it returns.
  * @param encap_stack Tracks the encapsulations as the new encapsulations are discovered
  * in the inner packets.
- * @param len The byte length of the packet data containing in the inner packet.
+ * @param inner_cap_len The byte length of the packet data contained in the inner packet.
+ * Also used as capture length for the inner packet.
  * @param data A pointer to the first byte of the inner packet.
  * @param link_type The link type (DLT_*) for the outer packet. If not known, DLT_RAW can
  * be passed for this value.
@@ -99,8 +103,8 @@ protected:
  */
 extern std::unique_ptr<Packet> build_inner_packet(Packet* outer_pkt, int* encap_index,
                                                   std::shared_ptr<EncapsulationStack> encap_stack,
-                                                  uint32_t len, const u_char* data, int link_type,
-                                                  BifEnum::Tunnel::Type tunnel_type,
+                                                  uint32_t inner_cap_len, const u_char* data,
+                                                  int link_type, BifEnum::Tunnel::Type tunnel_type,
                                                   const Tag& analyzer_tag);
 
 namespace detail
diff --git a/src/packet_analysis/protocol/linux_sll/CMakeLists.txt b/src/packet_analysis/protocol/linux_sll/CMakeLists.txt
index 3d517c53cd..2591b64160 100644
--- a/src/packet_analysis/protocol/linux_sll/CMakeLists.txt
+++ b/src/packet_analysis/protocol/linux_sll/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    LinuxSLL
-    SOURCES
-        LinuxSLL.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer LinuxSLL SOURCES LinuxSLL.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/linux_sll2/CMakeLists.txt b/src/packet_analysis/protocol/linux_sll2/CMakeLists.txt
index 63a94ca844..b3072fa4bb 100644
--- a/src/packet_analysis/protocol/linux_sll2/CMakeLists.txt
+++ b/src/packet_analysis/protocol/linux_sll2/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    LinuxSLL2
-    SOURCES
-        LinuxSLL2.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer LinuxSLL2 SOURCES LinuxSLL2.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/llc/CMakeLists.txt b/src/packet_analysis/protocol/llc/CMakeLists.txt
new file mode 100644
index 0000000000..692f39e440
--- /dev/null
+++ b/src/packet_analysis/protocol/llc/CMakeLists.txt
@@ -0,0 +1 @@
+zeek_add_plugin(PacketAnalyzer LLC SOURCES LLC.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/llc/LLC.cc b/src/packet_analysis/protocol/llc/LLC.cc
new file mode 100644
index 0000000000..69bd6343e3
--- /dev/null
+++ b/src/packet_analysis/protocol/llc/LLC.cc
@@ -0,0 +1,34 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/llc/LLC.h"
+
+using namespace zeek::packet_analysis::LLC;
+
+LLCAnalyzer::LLCAnalyzer() : zeek::packet_analysis::Analyzer("LLC") { }
+
+bool LLCAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// An LLC header is at least 3 bytes, check for that first.
+	if ( len < 3 )
+		{
+		Weird("truncated_llc_header", packet);
+		return false;
+		}
+
+	// If the control field doesn't have an unnumbered PDU, the header is actually 4
+	// bytes long. Whether this is unnumbered is denoted by the last two bits being
+	// set.
+	size_t llc_header_len = 3;
+	if ( (data[2] & 0x03) != 0x03 )
+		llc_header_len++;
+
+	if ( len < llc_header_len )
+		{
+		Weird("truncated_llc_header", packet);
+		return false;
+		}
+
+	// The destination SAP should be the next protocol in the chain, so forward
+	// based on that value. The DSAP is the first byte in header.
+	return ForwardPacket(len, data, packet, data[0]);
+	}
diff --git a/src/packet_analysis/protocol/llc/LLC.h b/src/packet_analysis/protocol/llc/LLC.h
new file mode 100644
index 0000000000..bbdb7ad65c
--- /dev/null
+++ b/src/packet_analysis/protocol/llc/LLC.h
@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::LLC
+	{
+
+class LLCAnalyzer : public Analyzer
+	{
+public:
+	LLCAnalyzer();
+	~LLCAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<LLCAnalyzer>();
+		}
+	};
+
+	}
diff --git a/src/packet_analysis/protocol/llc/Plugin.cc b/src/packet_analysis/protocol/llc/Plugin.cc
new file mode 100644
index 0000000000..b1bc034bbe
--- /dev/null
+++ b/src/packet_analysis/protocol/llc/Plugin.cc
@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/llc/LLC.h"
+
+namespace zeek::plugin::Zeek_LLC
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"LLC", zeek::packet_analysis::LLC::LLCAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::LLC";
+		config.description = "LLC packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}
diff --git a/src/packet_analysis/protocol/mpls/CMakeLists.txt b/src/packet_analysis/protocol/mpls/CMakeLists.txt
index 3e40d0fe16..8f14323b77 100644
--- a/src/packet_analysis/protocol/mpls/CMakeLists.txt
+++ b/src/packet_analysis/protocol/mpls/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    MPLS
-    SOURCES
-        MPLS.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer MPLS SOURCES MPLS.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/nflog/CMakeLists.txt b/src/packet_analysis/protocol/nflog/CMakeLists.txt
index 53239f2b6c..fad9feb3b7 100644
--- a/src/packet_analysis/protocol/nflog/CMakeLists.txt
+++ b/src/packet_analysis/protocol/nflog/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    NFLog
-    SOURCES
-        NFLog.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer NFLog SOURCES NFLog.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/novell_802_3/CMakeLists.txt b/src/packet_analysis/protocol/novell_802_3/CMakeLists.txt
new file mode 100644
index 0000000000..9adb81f417
--- /dev/null
+++ b/src/packet_analysis/protocol/novell_802_3/CMakeLists.txt
@@ -0,0 +1 @@
+zeek_add_plugin(PacketAnalyzer Novell_802_3 SOURCES Novell_802_3.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/novell_802_3/Novell_802_3.cc b/src/packet_analysis/protocol/novell_802_3/Novell_802_3.cc
new file mode 100644
index 0000000000..e7764a3cbb
--- /dev/null
+++ b/src/packet_analysis/protocol/novell_802_3/Novell_802_3.cc
@@ -0,0 +1,14 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/novell_802_3/Novell_802_3.h"
+
+using namespace zeek::packet_analysis::Novell_802_3;
+
+Novell_802_3Analyzer::Novell_802_3Analyzer() : zeek::packet_analysis::Analyzer("Novell_802_3") { }
+
+bool Novell_802_3Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// Attempt to forward into the default analyzer, if one exists. This should be an IPX analyzer,
+	// but one doesn't exist yet.
+	return ForwardPacket(len, data, packet);
+	}
diff --git a/src/packet_analysis/protocol/novell_802_3/Novell_802_3.h b/src/packet_analysis/protocol/novell_802_3/Novell_802_3.h
new file mode 100644
index 0000000000..728c7f93e4
--- /dev/null
+++ b/src/packet_analysis/protocol/novell_802_3/Novell_802_3.h
@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::Novell_802_3
+	{
+
+class Novell_802_3Analyzer : public Analyzer
+	{
+public:
+	Novell_802_3Analyzer();
+	~Novell_802_3Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<Novell_802_3Analyzer>();
+		}
+	};
+
+	}
diff --git a/src/packet_analysis/protocol/novell_802_3/Plugin.cc b/src/packet_analysis/protocol/novell_802_3/Plugin.cc
new file mode 100644
index 0000000000..17dfe2e443
--- /dev/null
+++ b/src/packet_analysis/protocol/novell_802_3/Plugin.cc
@@ -0,0 +1,28 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/novell_802_3/Novell_802_3.h"
+
+namespace zeek::plugin::Zeek_Novell_802_3
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"NOVELL_802_3",
+			zeek::packet_analysis::Novell_802_3::Novell_802_3Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::NOVELL_802_3";
+		config.description = "Novell 802.3 variantx packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}
diff --git a/src/packet_analysis/protocol/null/CMakeLists.txt b/src/packet_analysis/protocol/null/CMakeLists.txt
index dd0da51371..91e04f8d9d 100644
--- a/src/packet_analysis/protocol/null/CMakeLists.txt
+++ b/src/packet_analysis/protocol/null/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    Null
-    SOURCES
-        Null.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer Null SOURCES Null.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/pbb/CMakeLists.txt b/src/packet_analysis/protocol/pbb/CMakeLists.txt
index cee71edd44..3e6889369c 100644
--- a/src/packet_analysis/protocol/pbb/CMakeLists.txt
+++ b/src/packet_analysis/protocol/pbb/CMakeLists.txt
@@ -1,4 +1,3 @@
-
 include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
diff --git a/src/packet_analysis/protocol/ppp_serial/CMakeLists.txt b/src/packet_analysis/protocol/ppp_serial/CMakeLists.txt
index c6aa6f8f26..aa4ab35657 100644
--- a/src/packet_analysis/protocol/ppp_serial/CMakeLists.txt
+++ b/src/packet_analysis/protocol/ppp_serial/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    PPPSerial
-    SOURCES
-        PPPSerial.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer PPPSerial SOURCES PPPSerial.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/pppoe/CMakeLists.txt b/src/packet_analysis/protocol/pppoe/CMakeLists.txt
index 1173703493..d84229004a 100644
--- a/src/packet_analysis/protocol/pppoe/CMakeLists.txt
+++ b/src/packet_analysis/protocol/pppoe/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    PPPoE
-    SOURCES
-        PPPoE.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer PPPoE SOURCES PPPoE.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/root/CMakeLists.txt b/src/packet_analysis/protocol/root/CMakeLists.txt
index c127ad458f..cd4456cb6a 100644
--- a/src/packet_analysis/protocol/root/CMakeLists.txt
+++ b/src/packet_analysis/protocol/root/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    Root
-    SOURCES
-        Root.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer Root SOURCES Root.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/skip/CMakeLists.txt b/src/packet_analysis/protocol/skip/CMakeLists.txt
index 85cede467f..a8d4bc517a 100644
--- a/src/packet_analysis/protocol/skip/CMakeLists.txt
+++ b/src/packet_analysis/protocol/skip/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    Skip
-    SOURCES
-        Skip.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer Skip SOURCES Skip.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/snap/CMakeLists.txt b/src/packet_analysis/protocol/snap/CMakeLists.txt
new file mode 100644
index 0000000000..e064f3c395
--- /dev/null
+++ b/src/packet_analysis/protocol/snap/CMakeLists.txt
@@ -0,0 +1 @@
+zeek_add_plugin(PacketAnalyzer SNAP SOURCES SNAP.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/snap/Plugin.cc b/src/packet_analysis/protocol/snap/Plugin.cc
new file mode 100644
index 0000000000..f4ede75e0b
--- /dev/null
+++ b/src/packet_analysis/protocol/snap/Plugin.cc
@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/snap/SNAP.h"
+
+namespace zeek::plugin::Zeek_SNAP
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"SNAP", zeek::packet_analysis::SNAP::SNAPAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::SNAP";
+		config.description = "SNAP packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}
diff --git a/src/packet_analysis/protocol/snap/SNAP.cc b/src/packet_analysis/protocol/snap/SNAP.cc
new file mode 100644
index 0000000000..fe773c7d06
--- /dev/null
+++ b/src/packet_analysis/protocol/snap/SNAP.cc
@@ -0,0 +1,50 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/snap/SNAP.h"
+
+using namespace zeek::packet_analysis::SNAP;
+
+SNAPAnalyzer::SNAPAnalyzer() : zeek::packet_analysis::Analyzer("SNAP") { }
+
+bool SNAPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// The first part of the header is an LLC header, which we need to determine the
+	// length of the full header. Check to see if the shorter 3-byte version will fit.
+	if ( len < 3 )
+		{
+		Weird("truncated_snap_llc_header", packet);
+		return false;
+		}
+
+	// If the control field doesn't have an unnumbered PDU, the header is actually 4
+	// bytes long. Whether this is unnumbered is denoted by the last two bits being
+	// set.
+	size_t llc_header_len = 3;
+	if ( (data[2] & 0x03) != 0x03 )
+		llc_header_len++;
+
+	// Check the full length of the SNAP header, which is the LLC header plus 5 bytes.
+	if ( len < llc_header_len + 5 )
+		{
+		Weird("truncated_snap_header", packet);
+		return false;
+		}
+
+	data += llc_header_len;
+	len -= llc_header_len;
+
+	int oui = (data[0] << 16) | (data[1] << 8) | data[2];
+	int protocol = (data[3] << 8) | data[4];
+
+	data += 5;
+	len -= 5;
+
+	if ( oui == 0 )
+		{
+		// If the OUI is zero, the protocol is a standard ethertype and can be
+		// forwarded as such.
+		return ForwardPacket(len, data, packet, protocol);
+		}
+
+	return true;
+	}
diff --git a/src/packet_analysis/protocol/snap/SNAP.h b/src/packet_analysis/protocol/snap/SNAP.h
new file mode 100644
index 0000000000..a62fa05562
--- /dev/null
+++ b/src/packet_analysis/protocol/snap/SNAP.h
@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::SNAP
+	{
+
+class SNAPAnalyzer : public Analyzer
+	{
+public:
+	SNAPAnalyzer();
+	~SNAPAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<SNAPAnalyzer>();
+		}
+	};
+
+	}
diff --git a/src/packet_analysis/protocol/tcp/CMakeLists.txt b/src/packet_analysis/protocol/tcp/CMakeLists.txt
index 6e9646a8bd..9935b63489 100644
--- a/src/packet_analysis/protocol/tcp/CMakeLists.txt
+++ b/src/packet_analysis/protocol/tcp/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     PacketAnalyzer
     TCP_PKT
     SOURCES
-        TCP.cc
-        TCPSessionAdapter.cc
-        Plugin.cc
-        Stats.cc
-)
+    TCP.cc
+    TCPSessionAdapter.cc
+    Plugin.cc
+    Stats.cc)
diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc
index 6d6dfc4dbb..7df5236048 100644
--- a/src/packet_analysis/protocol/tcp/TCP.cc
+++ b/src/packet_analysis/protocol/tcp/TCP.cc
@@ -130,7 +130,8 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	// Call DeliverPacket on the adapter directly here. Normally we'd call ForwardPacket
 	// but this adapter does some other things in its DeliverPacket with the packet children
 	// analyzers.
-	adapter->DeliverPacket(len, data, is_orig, adapter->LastRelDataSeq(), ip.get(), remaining);
+	adapter->DeliverPacket(remaining, data, is_orig, adapter->LastRelDataSeq(), ip.get(),
+	                       pkt->cap_len);
 	}
 
 const struct tcphdr* TCPAnalyzer::ExtractTCP_Header(const u_char*& data, int& len, int& remaining,
diff --git a/src/packet_analysis/protocol/teredo/CMakeLists.txt b/src/packet_analysis/protocol/teredo/CMakeLists.txt
index 028864160e..dd5682b1f5 100644
--- a/src/packet_analysis/protocol/teredo/CMakeLists.txt
+++ b/src/packet_analysis/protocol/teredo/CMakeLists.txt
@@ -2,9 +2,8 @@ zeek_add_plugin(
     Zeek
     Teredo
     SOURCES
-        Teredo.cc
-        Plugin.cc
+    Teredo.cc
+    Plugin.cc
     BIFS
-        events.bif
-        functions.bif
-)
+    events.bif
+    functions.bif)
diff --git a/src/packet_analysis/protocol/udp/CMakeLists.txt b/src/packet_analysis/protocol/udp/CMakeLists.txt
index 99a892a89c..3812077c37 100644
--- a/src/packet_analysis/protocol/udp/CMakeLists.txt
+++ b/src/packet_analysis/protocol/udp/CMakeLists.txt
@@ -2,9 +2,8 @@ zeek_add_plugin(
     Zeek
     UDP
     SOURCES
-        UDP.cc
-        UDPSessionAdapter.cc
-        Plugin.cc
+    UDP.cc
+    UDPSessionAdapter.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc
index 58f12960a3..1200cd2f49 100644
--- a/src/packet_analysis/protocol/udp/UDP.cc
+++ b/src/packet_analysis/protocol/udp/UDP.cc
@@ -109,7 +109,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	auto validate_checksum = ! run_state::current_pkt->l4_checksummed &&
 	                         ! zeek::detail::ignore_checksums &&
 	                         ! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) &&
-	                         remaining >= len;
+	                         remaining >= len && pkt->len <= pkt->cap_len;
 
 	constexpr auto vxlan_len = 8;
 	constexpr auto eth_len = 14;
@@ -225,9 +225,8 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	// detection has to be used.
 	ForwardPacket(std::min(len, remaining), data, pkt, ntohs(c->RespPort()));
 
-	// Also try sending it into session analysis.
-	if ( remaining >= len )
-		adapter->ForwardPacket(len, data, is_orig, -1, ip.get(), remaining);
+	// Forward any data through session-analysis, too.
+	adapter->ForwardPacket(remaining, data, is_orig, -1, ip.get(), pkt->cap_len);
 	}
 
 bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len)
diff --git a/src/packet_analysis/protocol/vlan/CMakeLists.txt b/src/packet_analysis/protocol/vlan/CMakeLists.txt
index ed37c128c4..afc2faab54 100644
--- a/src/packet_analysis/protocol/vlan/CMakeLists.txt
+++ b/src/packet_analysis/protocol/vlan/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    VLAN
-    SOURCES
-        VLAN.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer VLAN SOURCES VLAN.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc
index 4287fa5675..e57d7810a7 100644
--- a/src/packet_analysis/protocol/vlan/VLAN.cc
+++ b/src/packet_analysis/protocol/vlan/VLAN.cc
@@ -4,7 +4,12 @@
 
 using namespace zeek::packet_analysis::VLAN;
 
-VLANAnalyzer::VLANAnalyzer() : zeek::packet_analysis::Analyzer("VLAN") { }
+VLANAnalyzer::VLANAnalyzer() : zeek::packet_analysis::Analyzer("VLAN")
+	{
+	snap_forwarding_key = id::find_val("PacketAnalyzer::VLAN::SNAP_FORWARDING_KEY")->AsCount();
+	novell_forwarding_key = id::find_val("PacketAnalyzer::VLAN::NOVELL_FORWARDING_KEY")->AsCount();
+	llc_forwarding_key = id::find_val("PacketAnalyzer::VLAN::LLC_FORWARDING_KEY")->AsCount();
+	}
 
 bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	{
@@ -17,8 +22,39 @@ bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
 	auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan;
 	vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff;
 
+	// Get the protocol/length field from the last 2 bytes of the header.
 	uint32_t protocol = ((data[2] << 8u) + data[3]);
-	packet->eth_type = protocol;
-	// Skip the VLAN header
-	return ForwardPacket(len - 4, data + 4, packet, protocol);
+
+	if ( protocol >= 1536 )
+		{
+		packet->eth_type = protocol;
+		// Skip the VLAN header
+		return ForwardPacket(len - 4, data + 4, packet, protocol);
+		}
+
+	if ( protocol <= 1500 )
+		{
+		// Skip over the VLAN header
+		len -= 4;
+		data += 4;
+
+		if ( len < protocol )
+			{
+			Weird("truncated_vlan_frame", packet);
+			return false;
+			}
+
+		if ( data[0] == 0xAA && data[1] == 0xAA )
+			// IEEE 802.2 SNAP
+			return ForwardPacket(len, data, packet, snap_forwarding_key);
+		else if ( data[0] == 0xFF && data[1] == 0xFF )
+			// Novell raw IEEE 802.3
+			return ForwardPacket(len, data, packet, novell_forwarding_key);
+		else
+			// IEEE 802.2 LLC
+			return ForwardPacket(len, data, packet, llc_forwarding_key);
+		}
+
+	Weird("undefined_vlan_protocol", packet);
+	return false;
 	}
diff --git a/src/packet_analysis/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h
index 46606e7667..57a342e720 100644
--- a/src/packet_analysis/protocol/vlan/VLAN.h
+++ b/src/packet_analysis/protocol/vlan/VLAN.h
@@ -20,6 +20,11 @@ public:
 		{
 		return std::make_shared<VLANAnalyzer>();
 		}
+
+private:
+	zeek_uint_t snap_forwarding_key = 0;
+	zeek_uint_t novell_forwarding_key = 0;
+	zeek_uint_t llc_forwarding_key = 0;
 	};
 
 	}
diff --git a/src/packet_analysis/protocol/vntag/CMakeLists.txt b/src/packet_analysis/protocol/vntag/CMakeLists.txt
index 313d5b67bf..1143d525a7 100644
--- a/src/packet_analysis/protocol/vntag/CMakeLists.txt
+++ b/src/packet_analysis/protocol/vntag/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    PacketAnalyzer
-    VNTag
-    SOURCES
-        VNTag.cc
-        Plugin.cc
-)
+zeek_add_plugin(PacketAnalyzer VNTag SOURCES VNTag.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/vxlan/CMakeLists.txt b/src/packet_analysis/protocol/vxlan/CMakeLists.txt
index 81623727bb..5a077f50f8 100644
--- a/src/packet_analysis/protocol/vxlan/CMakeLists.txt
+++ b/src/packet_analysis/protocol/vxlan/CMakeLists.txt
@@ -2,8 +2,7 @@ zeek_add_plugin(
     Zeek
     VXLAN
     SOURCES
-        VXLAN.cc
-        Plugin.cc
+    VXLAN.cc
+    Plugin.cc
     BIFS
-        events.bif
-)
+    events.bif)
diff --git a/src/packet_analysis/protocol/wrapper/CMakeLists.txt b/src/packet_analysis/protocol/wrapper/CMakeLists.txt
index 6c37e2e35b..aaac07bbb3 100644
--- a/src/packet_analysis/protocol/wrapper/CMakeLists.txt
+++ b/src/packet_analysis/protocol/wrapper/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_plugin(
-    Zeek
-    Wrapper
-    SOURCES
-        Wrapper.cc
-        Plugin.cc
-)
+zeek_add_plugin(Zeek Wrapper SOURCES Wrapper.cc Plugin.cc)
diff --git a/src/parse.y b/src/parse.y
index 2334b2eae3..4db15571ab 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -1488,13 +1488,6 @@ func_hdr:
 			}
 	|	TOK_EVENT event_id func_params opt_attr
 			{
-			const char* name = $2->Name();
-			if ( util::streq("bro_init", name) || util::streq("bro_done", name) || util::streq("bro_script_loaded", name) )
-				{
-				auto base = std::string(name).substr(4);
-				reporter->Error("event %s() is no longer available, use zeek_%s() instead", name, base.c_str());
-				}
-
 			begin_func({NewRef{}, $2}, current_module.c_str(),
 				                     FUNC_FLAVOR_EVENT, false, {NewRef{}, $3},
 			                         std::unique_ptr<std::vector<AttrPtr>>{$4});
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 85b00e8060..d4f34f28ff 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -13,8 +13,10 @@
 
 // Avoid ccache busting of Plugin.h for internal plugins by
 // only including zeek/zeek-version.h if we're building an
-// external plugin.
-#if defined(ZEEK_PLUGIN_INTERNAL_BUILD) && ! ZEEK_PLUGIN_INTERNAL_BUILD
+// external plugin. The define gets set in the CMakeLists.txt file
+// for the Zeek::Internal target, which only exists when
+// building Zeek itself.
+#ifndef ZEEK_PLUGIN_SKIP_VERSION_CHECK
 #include "zeek/zeek-version.h"
 // Remove the BRO define in v6.1.
 #define BRO_PLUGIN_BRO_VERSION ZEEK_VERSION_FUNCTION
@@ -130,10 +132,12 @@ public:
 #endif
 	inline Configuration() __attribute__((always_inline))
 		{
-// Only bake in a ZEEK_PLUGIN_ZEEK_VERSION reference into external
-// plugins. The internal ones are in the same binary so the runtime
-// link check shouldn't be needed and we can avoid ccache busting.
-#if defined(ZEEK_PLUGIN_INTERNAL_BUILD) && ! ZEEK_PLUGIN_INTERNAL_BUILD
+// Only bake in a ZEEK_PLUGIN_ZEEK_VERSION reference into external plugins. The
+// internal ones are in the same binary so the runtime link check shouldn't be
+// needed and we can avoid ccache busting. The define gets set in the
+// CMakeLists.txt file for the Zeek::Internal target, which only exists when
+// building Zeek itself.
+#ifndef ZEEK_PLUGIN_SKIP_VERSION_CHECK
 		bro_version = ZEEK_PLUGIN_ZEEK_VERSION;
 		zeek_version = ZEEK_PLUGIN_ZEEK_VERSION;
 #endif
diff --git a/src/probabilistic/CMakeLists.txt b/src/probabilistic/CMakeLists.txt
index f8f948aea3..9c5a6e72bd 100644
--- a/src/probabilistic/CMakeLists.txt
+++ b/src/probabilistic/CMakeLists.txt
@@ -1,14 +1,13 @@
 zeek_add_subdir_library(
     probabilistic
     SOURCES
-        BitVector.cc
-        BloomFilter.cc
-        CardinalityCounter.cc
-        CounterVector.cc
-        Hasher.cc
-        Topk.cc
+    BitVector.cc
+    BloomFilter.cc
+    CardinalityCounter.cc
+    CounterVector.cc
+    Hasher.cc
+    Topk.cc
     BIFS
-        bloom-filter.bif
-        cardinality-counter.bif
-        top-k.bif
-)
+    bloom-filter.bif
+    cardinality-counter.bif
+    top-k.bif)
diff --git a/src/re-parse.y b/src/re-parse.y
index 7a38820f90..2d6672df8d 100644
--- a/src/re-parse.y
+++ b/src/re-parse.y
@@ -34,6 +34,8 @@ void yyerror(const char msg[]);
 %type <ccl_val> TOK_CCL ccl full_ccl
 %type <mach_val> re singleton series string
 
+%destructor { delete $$; } <mach_val>
+
 %%
 flexrule	:	re
 			{ $1->AddAccept(1); zeek::detail::nfa = $1; }
@@ -50,18 +52,18 @@ re		:  re '|' series
 		;
 
 series		:  series singleton
-			{ $1->AppendMachine($2); }
+			{ $1->AppendMachine($2); $$ = $1; }
 		|  singleton
 		;
 
 singleton	:  singleton '*'
-			{ $1->MakeClosure(); }
+			{ $1->MakeClosure(); $$ = $1; }
 
 		|  singleton '+'
-			{ $1->MakePositiveClosure(); }
+			{ $1->MakePositiveClosure(); $$ = $1; }
 
 		|  singleton '?'
-			{ $1->MakeOptional(); }
+			{ $1->MakeOptional(); $$ = $1; }
 
 		|  singleton '{' TOK_NUMBER ',' TOK_NUMBER '}'
 			{
@@ -95,6 +97,8 @@ singleton	:  singleton '*'
 				$1->MakeClosure();
 			else
 				$1->MakeRepl($3, NO_UPPER_BOUND);
+
+			$$ = $1;
 			}
 
 		|  singleton '{' TOK_NUMBER '}'
@@ -239,6 +243,7 @@ string		:  string TOK_CHAR
 			// of "escaping" out of insensitivity
 			// if needed.
 			$1->AppendState(new zeek::detail::NFA_State($2, zeek::detail::rem->EC()));
+			$$ = $1;
 			}
 
 		|
diff --git a/src/scan.l b/src/scan.l
index c169753f92..c961b928e2 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -489,6 +489,16 @@ when	return TOK_WHEN;
 	const char* file = zeek::util::skip_whitespace(yytext + 7);
 	std::string path = find_relative_script_file(file);
 
+	if ( ! path.empty() && zeek::util::is_dir(path.c_str()) )
+		{
+		// open_package() appends __load__.zeek to path and verifies existence
+		FILE *f = zeek::util::detail::open_package(path);
+		if (f)
+			fclose(f);
+		else
+			path = "";
+		}
+
 	if ( path.empty() )
 		zeek::reporter->Error("failed find file associated with @unload %s", file);
 	else
diff --git a/src/script_opt/CPP/maint/README b/src/script_opt/CPP/maint/README
index 3510f38192..072b9dd222 100644
--- a/src/script_opt/CPP/maint/README
+++ b/src/script_opt/CPP/maint/README
@@ -11,13 +11,7 @@ If you make changes to the scripts, format them using
 
 The maintenance workflow:
 
-1.  Update this timestamp, so this file will be changed and you'll remember
-    to check in updates to the list of how the compiler currently fares
-    on various btests (see end of this doc):
-
-	Sun Mar  5 12:02:44 PST 2023
-
-2.  Make sure the compiler can compile and execute the base scripts:
+1.  Make sure the compiler can compile and execute the base scripts:
 
 	echo | src/zeek -O gen-C++
 	ninja
@@ -27,32 +21,30 @@ The maintenance workflow:
     compiler that you'll want to subsequent run against the test suite,
     per the following.
 
-3.  Run "find-test-files.sh" to generate a list (to stdout) of all of the
+2.  Run "find-test-files.sh" to generate a list (to stdout) of all of the
     possible Zeek source files found in the test suite.
 
-4.  For each such Zeek file, run "check-zeek.sh" to see whether Zeek can
+3.  For each such Zeek file, run "check-zeek.sh" to see whether Zeek can
     parse it.  This helps remove from further consideration difficult
     tests (like those that have embedded input files, or multiple separate
     scripts).
 
-5.  "mkdir CPP-test" - a directory for holding results relating to C++ testing
+4.  "mkdir CPP-test" - a directory for holding results relating to C++ testing
 
-6.  Run "check-CPP-gen.sh" for each Zeek file that passed "check-zeek.sh".
+5.  Run "check-CPP-gen.sh" for each Zeek file that passed "check-zeek.sh".
     This will generate a corresponding file in CPP-test/out* indicating whether
     "-O gen-C++" can successfully run on the input.  Presently, it should
-    be able to do so for all of them, other than some exceptions noted below.
+    be able to do so for all of them.
 
     This step is parallelizable, say using xargs -P 10 -n 1.
 
-7.  Copy ./src/zeek to ./zeek.HOLD.  This is used to speed up recompilation used
+6.  Copy ./src/zeek to ./zeek.HOLD.  This is used to speed up recompilation used
     in the next step.  However, it's also a headache to do development to
     fix a bug and then forget to update zeek.HOLD, which means you wind up
     running the old version.  You can combat that by removing ./zeek.HOLD
     every time you start working on fixing a bug.
 
-8.  Use the appended database to remove inputs that have known issues.
-
-9.  For every input that survives that pruning, run "do-CPP-btest.sh".
+7.  For every input that survives that pruning, run "do-CPP-btest.sh".
     This will generate C++ for the BTest, compile it, and run the result
     to see if it succeeds.  It populates CPP-test/diag* with the Btest
     diagnostic output (empty means success).  For non-empty output,
@@ -67,32 +59,12 @@ The maintenance workflow:
     does btest, for displaying differences or updating the baseline
     (which is Baseline.cpp).
 
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+FYI:
+    There are two tests that in the past have demonstrated possible
+    variations due to presumed race conditions:
 
-These BTests won't successfully run due to the indicated issue:
+	../testing/btest/scripts/base/utils/active-http.test
+	../testing/btest/supervisor/revive-leaf.zeek
 
-	bad-constructor - uses a complex old-style constructor that
-		should be updated
-	bad-when - deliberately has old-style "when" without captures
-	cond - not compilable due to the presence of conditional code
-	deprecated - uses deprecated features not support for -O gen-C++
-	test-glitch - fails because of how we do testing: the first -O gen-C++
-		pass leaves httpd running, which causes the second -O use-C++
-		pass to fail when it tries to start up a new httpd
-	skipped - test can be skipped due to environmental reasons (e.g.,
-		whether we have a certain Kerberos setup)
-	start-next - test uses @TEST-START-NEXT.  As long as the diagnostic
-		output doesn't have errors for language.blank-local-4, it's ok
-	race? - appears to have a race condition, can fail even when
-		running with interpreter, and can pass with -O C++
-
-Database Of Known Issues
-
-../testing/btest/language/blank-local.zeek start-next
-../testing/btest/language/when-aggregates.zeek bad-when
-../testing/btest/scripts/base/protocols/krb/smb2_krb.test skipped
-../testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test skipped
-../testing/btest/scripts/base/utils/active-http.test test-glitch
-../testing/btest/scripts/policy/frameworks/dpd/packet-segment-logging.zeek cond
-../testing/btest/scripts/policy/misc/dump-events.zeek skipped
-../testing/btest/supervisor/revive-leaf.zeek race?
+    These haven't shown up in a while, as of May 2023, so we can remove
+    the above if they continue to not show up.
diff --git a/src/script_opt/CPP/maint/check-CPP-gen.sh b/src/script_opt/CPP/maint/check-CPP-gen.sh
index dae5e93720..a85901b1be 100755
--- a/src/script_opt/CPP/maint/check-CPP-gen.sh
+++ b/src/script_opt/CPP/maint/check-CPP-gen.sh
@@ -10,7 +10,7 @@ gen_out=CPP-test/gen.$abbr
         echo "fail"
         exit 1
     fi
-    if grep -E -q '(deprecated.*(when|vector))|skipping|cannot compile|no matching functions' $gen_out; then
+    if grep -E -q '(deprecated.*(when|vector))|skipping|cannot be compiled|cannot compile|no matching functions' $gen_out; then
         echo "fail"
         exit 1
     fi
diff --git a/src/script_opt/CPP/maint/do-CPP-btest.sh b/src/script_opt/CPP/maint/do-CPP-btest.sh
index 71df6dbc38..55be391567 100755
--- a/src/script_opt/CPP/maint/do-CPP-btest.sh
+++ b/src/script_opt/CPP/maint/do-CPP-btest.sh
@@ -21,6 +21,7 @@ base=$(echo $1 | sed 's,\.\./,,;s,/,#,g')
 rel_test=$(echo $1 | sed 's,.*testing/btest/,,')
 
 export ZEEK_GEN_CPP=1
+export ZEEK_REPORT_UNCOMPILABLE=1
 export ZEEK_CPP_DIR=$(pwd)
 # export ZEEK_OPT_FUNCS="<global-stmts>"
 export ZEEK_OPT_FILES="testing/btest"
@@ -31,7 +32,7 @@ export ZEEK_OPT_FILES="testing/btest"
 )
 
 # export -n ZEEK_GEN_CPP ZEEK_CPP_DIR ZEEK_OPT_FUNCS ZEEK_OPT_FILES
-export -n ZEEK_GEN_CPP ZEEK_CPP_DIR ZEEK_OPT_FILES
+export -n ZEEK_GEN_CPP ZEEK_REPORT_UNCOMPILABLE ZEEK_CPP_DIR ZEEK_OPT_FILES
 
 ninja
 
diff --git a/src/script_opt/ScriptOpt.cc b/src/script_opt/ScriptOpt.cc
index 8ae6cae765..8a44ffcd84 100644
--- a/src/script_opt/ScriptOpt.cc
+++ b/src/script_opt/ScriptOpt.cc
@@ -266,6 +266,7 @@ static void init_options()
 	check_env_opt("ZEEK_XFORM", analysis_options.activate);
 	check_env_opt("ZEEK_ZAM", analysis_options.gen_ZAM);
 	check_env_opt("ZEEK_COMPILE_ALL", analysis_options.compile_all);
+	check_env_opt("ZEEK_REPORT_UNCOMPILABLE", analysis_options.report_uncompilable);
 	check_env_opt("ZEEK_ZAM_CODE", analysis_options.gen_ZAM_code);
 	check_env_opt("ZEEK_NO_ZAM_OPT", analysis_options.no_ZAM_opt);
 	check_env_opt("ZEEK_DUMP_ZAM", analysis_options.dump_ZAM);
diff --git a/src/session/CMakeLists.txt b/src/session/CMakeLists.txt
index 752db51cbb..0bd82de16e 100644
--- a/src/session/CMakeLists.txt
+++ b/src/session/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_subdir_library(
-    session
-    SOURCES
-        Session.cc
-        Key.cc
-        Manager.cc
-)
+zeek_add_subdir_library(session SOURCES Session.cc Key.cc Manager.cc)
diff --git a/src/spicy/.clang-format b/src/spicy/.clang-format
new file mode 100644
index 0000000000..ec20c65ea9
--- /dev/null
+++ b/src/spicy/.clang-format
@@ -0,0 +1,132 @@
+---
+Language:        Cpp
+AccessModifierOffset: -4
+AlignAfterOpenBracket: Align
+AlignConsecutiveAssignments: false
+AlignConsecutiveDeclarations: false
+AlignEscapedNewlines: Right
+AlignOperands:   true
+AlignTrailingComments: true
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortBlocksOnASingleLine: false
+AllowShortCaseLabelsOnASingleLine: true
+AllowShortFunctionsOnASingleLine: true
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterDefinitionReturnType: None
+AlwaysBreakAfterReturnType: None
+AlwaysBreakBeforeMultilineStrings: true
+AlwaysBreakTemplateDeclarations: Yes
+BinPackArguments: true
+BinPackParameters: true
+BraceWrapping:
+  AfterClass:      false
+  AfterControlStatement: false
+  AfterEnum:       false
+  AfterFunction:   false
+  AfterNamespace:  false
+  AfterObjCDeclaration: false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterExternBlock: false
+  BeforeCatch:     false
+  BeforeElse:      true
+  IndentBraces:    false
+  SplitEmptyFunction: false
+  SplitEmptyRecord: false
+  SplitEmptyNamespace: false
+BreakBeforeBinaryOperators: None
+BreakBeforeBraces: Custom
+BreakBeforeInheritanceComma: false
+BreakInheritanceList: BeforeColon
+BreakBeforeTernaryOperators: false
+BreakConstructorInitializersBeforeComma: false
+BreakConstructorInitializers: BeforeColon
+BreakAfterJavaFieldAnnotations: false
+BreakStringLiterals: true
+ColumnLimit:     120
+CommentPragmas:  'NOLINT'
+CompactNamespaces: false
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DerivePointerAlignment: false
+DisableFormat:   false
+ExperimentalAutoDetectBinPacking: false
+FixNamespaceComments: true
+ForEachMacros:
+  - foreach
+  - Q_FOREACH
+  - BOOST_FOREACH
+IncludeBlocks: Regroup
+IncludeCategories:
+  - Regex:           'hilti/rt.*\.(h|hpp)>'
+    Priority:        5
+  - Regex:           'spicy/rt.*\.(h|hpp)>'
+    Priority:        6
+  - Regex:           'hilti.*\.(h|hpp)>'
+    Priority:        7
+  - Regex:           'spicy.*\.(h|hpp)>'
+    Priority:        8
+  - Regex:           '<zeek-spicy\/'
+    Priority:        9
+  - Regex:           '<zeek\/'
+    Priority:        10
+  - Regex:           '^<([[:alnum:]]|_)+>'
+    Priority:        2
+  - Regex:           '^<.*\.h>'
+    Priority:        1
+  - Regex:           '.*'
+    Priority:        11
+IncludeIsMainRegex: '$'
+IndentCaseLabels: true
+IndentPPDirectives: None
+IndentWidth:     4
+IndentWrappedFunctionNames: false
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: false
+MacroBlockBegin: '^BEGIN_'
+MacroBlockEnd:   '^END_'
+MaxEmptyLinesToKeep: 2
+NamespaceIndentation: None
+ObjCBinPackProtocolList: Auto
+ObjCBlockIndentWidth: 2
+ObjCSpaceAfterProperty: false
+ObjCSpaceBeforeProtocolList: true
+PenaltyBreakAssignment: 2
+PenaltyBreakBeforeFirstCallParameter: 500
+PenaltyBreakComment: 300
+PenaltyBreakFirstLessLess: 120
+PenaltyBreakString: 1000
+PenaltyBreakTemplateDeclaration: 10
+PenaltyExcessCharacter: 1000000
+PenaltyReturnTypeOnItsOwnLine: 1000
+PointerAlignment: Left
+ReflowComments:  true
+SortIncludes:    true
+SortUsingDeclarations: true
+SpaceAfterCStyleCast: false
+SpaceAfterTemplateKeyword: false
+SpaceAfterLogicalNot: true
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeCpp11BracedList: false
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeInheritanceColon: true
+SpaceBeforeParens: ControlStatements
+SpaceBeforeRangeBasedForLoopColon: true
+SpaceInEmptyParentheses: false
+SpacesBeforeTrailingComments: 1
+SpacesInAngles:  false
+SpacesInContainerLiterals: true
+SpacesInCStyleCastParentheses: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+SpacesInConditionalStatement: true
+Standard:        Cpp11
+StatementMacros:
+  - STANDARD_OPERATOR_1
+TabWidth:        4
+UseTab:          Never
+...
diff --git a/src/spicy/CMakeLists.txt b/src/spicy/CMakeLists.txt
new file mode 100644
index 0000000000..bd3b6e5c83
--- /dev/null
+++ b/src/spicy/CMakeLists.txt
@@ -0,0 +1,29 @@
+# See the file "COPYING" in the main distribution directory for copyright.
+
+zeek_add_subdir_library(
+    spicy
+    INTERNAL_DEPENDENCIES
+    ${BIF_BUILD_TARGET}
+    INCLUDE_DIRS
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_BINARY_DIR}
+    SOURCES
+    manager.cc
+    file-analyzer.cc
+    packet-analyzer.cc
+    protocol-analyzer.cc
+    runtime-support.cc
+    BIFS
+    spicy.bif)
+
+target_link_libraries(zeek_spicy_obj PRIVATE hilti spicy)
+
+set(ZEEK_SPICY_MODULE_PATH "${CMAKE_INSTALL_FULL_LIBDIR}/zeek/spicy" CACHE PATH "")
+install(DIRECTORY DESTINATION "${ZEEK_SPICY_MODULE_PATH}")
+
+set(ZEEK_SPICY_LIBRARY_PATH "${CMAKE_INSTALL_FULL_DATADIR}/zeek/spicy" CACHE PATH "")
+install(DIRECTORY "${PROJECT_SOURCE_DIR}/scripts/spicy/" DESTINATION "${ZEEK_SPICY_LIBRARY_PATH}")
+
+set(ZEEK_SPICY_DATA_PATH "${CMAKE_INSTALL_FULL_DATADIR}/zeek" CACHE PATH "")
+
+add_subdirectory(spicyz)
diff --git a/src/spicy/cookie.h b/src/spicy/cookie.h
new file mode 100644
index 0000000000..bc59f09a7b
--- /dev/null
+++ b/src/spicy/cookie.h
@@ -0,0 +1,233 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+/**
+ * Cookie types that's stored in the HILTI context to provide access to the
+ * current analyzer.
+ */
+
+#pragma once
+
+#include <memory>
+#include <optional>
+#include <string>
+#include <utility>
+#include <variant>
+#include <vector>
+
+#include "zeek/Val.h"
+#include "zeek/analyzer/Analyzer.h"
+#include "zeek/analyzer/protocol/tcp/TCP.h"
+#include "zeek/file_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Analyzer.h"
+
+namespace zeek::spicy::rt {
+
+namespace cookie {
+
+/** State representing analysis of one file. */
+struct FileState {
+    FileState(std::string fid) : fid(std::move(fid)) {}
+    std::string fid;                      /**< unique Zeek-side file ID */
+    std::optional<std::string> mime_type; /**< MIME type, if explicitly set */
+};
+
+/**
+ * State stored inside protocol/file analyzer cookies retaining file analysis
+ * state.
+ *
+ * Internally, this maintains a stack of state objects representing individual
+ * files that are currently in-flight.
+ */
+class FileStateStack {
+public:
+    /**
+     * Constructor.
+     *
+     * @param analyzer_id unique ID string representing parent connection/file analyzer
+     */
+    FileStateStack(std::string analyzer_id) : _analyzer_id(std::move(analyzer_id)) {}
+
+    /**
+     * Begins analysis for a new file, pushing a new state object onto the
+     * stack.
+     */
+    FileState* push();
+
+    /** Returns true if the stack is currently empty. */
+    bool isEmpty() const { return _stack.empty(); }
+
+    /**
+     * Removes an object from the stack.
+     *
+     * @param fid ID of file to remove state for; no-op if not found
+     */
+    void remove(const std::string& fid);
+
+    /**
+     * Returns a pointer to the state of the most recently pushed file. Must not
+     * be called on an empty stack.
+     **/
+    const FileState* current() const {
+        assert(_stack.size());
+        return &_stack.back();
+    }
+
+    /**
+     * Returns the state of a given file currently on the stack.
+     *
+     * @param fid ID of file to find
+     * @returns pointer to the file's state, or null if not found
+     */
+    const FileState* find(const std::string& fid) const;
+
+private:
+    std::vector<FileState> _stack; // stack of files in flight
+    std::string _analyzer_id;      // unique ID string of parent analyzer, as passed into ctor
+    uint64_t _id_counter = 0;      // counter incremented for each file added to this stack
+};
+
+/** State on the current protocol analyzer. */
+struct ProtocolAnalyzer {
+    analyzer::Analyzer* analyzer = nullptr;                            /**< current analyzer */
+    bool is_orig = false;                                              /**< direction of the connection */
+    uint64_t num_packets = 0;                                          /**< number of packets seen so far */
+    FileStateStack fstate_orig;                                        /**< file analysis state for originator side */
+    FileStateStack fstate_resp;                                        /**< file analysis state for responder side */
+    std::shared_ptr<packet_analysis::TCP::TCPSessionAdapter> fake_tcp; /**< fake TPC analyzer created internally */
+};
+
+/** State on the current file analyzer. */
+struct FileAnalyzer {
+    file_analysis::Analyzer* analyzer = nullptr; /**< current analyzer */
+    uint64_t depth = 0;    /**< recursive depth of file analysis (Spicy-side file analysis only) */
+    FileStateStack fstate; /**< file analysis state for nested files */
+};
+
+/** State on the current file analyzer. */
+struct PacketAnalyzer {
+    packet_analysis::Analyzer* analyzer = nullptr; /**< current analyzer */
+    Packet* packet = nullptr;                      /**< current packet */
+    ValPtr packet_val = nullptr;                   /**< cached "raw_pkt_hdr" val for packet */
+    std::optional<uint32_t> next_analyzer;
+};
+
+} // namespace cookie
+
+/**
+ * Type of state stored in HILTI's execution context during Spicy processing.
+ * This is optimized for fast access and small size.
+ */
+struct Cookie {
+    // Exactly one of these pointers is non-null at any time. In that way, the
+    // pointers provide the semantics of a tagged union. Internals are bit
+    // tricky because the union itself cannot be copied/moved.
+    cookie::ProtocolAnalyzer* protocol = nullptr;
+    cookie::FileAnalyzer* file = nullptr;
+    cookie::PacketAnalyzer* packet = nullptr;
+
+    Cookie(cookie::ProtocolAnalyzer&& c) : data(std::move(c)) { protocol = &data.protocol; }
+    Cookie(cookie::FileAnalyzer&& c) : data(std::move(c)) { file = &data.file; }
+    Cookie(cookie::PacketAnalyzer&& c) : data(std::move(c)) { packet = &data.packet; }
+    Cookie(Cookie&& other) noexcept : data(other.tag(), std::move(other.data)) { _initLike(other); }
+    ~Cookie() { _delete(); }
+
+    Cookie& operator=(Cookie&& other) noexcept {
+        if ( this == &other )
+            return *this;
+
+        _delete();
+        _initLike(other);
+
+        new (&data) Data(tag(), std::move(other.data));
+        return *this;
+    }
+
+    // Cache of values that can be expensive to compute.
+    struct {
+        ValPtr conn = nullptr;    // valid only for protocol analyzers
+        ValPtr is_orig = nullptr; // valid only for protocol analyzers
+        bool confirmed = false;   // valid only for protocol analyzers;
+    } cache;
+
+    enum Tag { Protocol, File, Packet };
+
+    /** Returns the type of cookie currently stored. */
+    Tag tag() const {
+        if ( protocol )
+            return Tag::Protocol;
+        else if ( file )
+            return Tag::File;
+        else if ( packet )
+            return Tag::Packet;
+        else
+            throw std::runtime_error("invalid cookie");
+    }
+
+private:
+    union Data {
+        cookie::ProtocolAnalyzer protocol;
+        cookie::FileAnalyzer file;
+        cookie::PacketAnalyzer packet;
+
+        Data(cookie::ProtocolAnalyzer&& protocol) : protocol(std::move(protocol)) {}
+        Data(cookie::FileAnalyzer&& file) : file(std::move(file)) {}
+        Data(cookie::PacketAnalyzer&& packet) : packet(std::move(packet)) {}
+        Data(Tag tag, Data&& other) {
+            switch ( tag ) {
+                case Tag::Protocol: new (&protocol) cookie::ProtocolAnalyzer(std::move(other.protocol)); break;
+                case Tag::File: new (&file) cookie::FileAnalyzer(std::move(other.file)); break;
+                case Tag::Packet: new (&packet) cookie::PacketAnalyzer(std::move(other.packet)); break;
+            }
+        }
+
+        ~Data() {
+            // don't delete anything, Cookie is in charge.
+        }
+
+        Data(const Data& other) = delete;
+        Data& operator=(const Data& other) = delete;
+        Data& operator=(Data&& other) = delete;
+    } data;
+
+    void _delete() {
+        if ( protocol ) {
+            data.protocol.~ProtocolAnalyzer();
+            protocol = nullptr;
+            cache.conn = nullptr;
+            cache.is_orig = nullptr;
+            cache.confirmed = false;
+        }
+        else if ( file ) {
+            data.file.~FileAnalyzer();
+            file = nullptr;
+        }
+        else if ( packet ) {
+            data.packet.~PacketAnalyzer();
+            packet = nullptr;
+        }
+    }
+
+    void _initLike(const Cookie& other) {
+        if ( other.protocol ) {
+            protocol = &data.protocol;
+            cache.confirmed = other.cache.confirmed;
+        }
+
+        else if ( other.file )
+            file = &data.file;
+
+        else if ( other.packet )
+            packet = &data.packet;
+    }
+
+    Cookie(const Cookie& other) = delete;
+    Cookie& operator=(const Cookie& other) = delete;
+
+    friend inline void swap(Cookie& lhs, Cookie& rhs) {
+        Cookie tmp = std::move(lhs);
+        lhs = std::move(rhs);
+        rhs = std::move(tmp);
+    }
+};
+
+} // namespace zeek::spicy::rt
diff --git a/src/spicy/file-analyzer.cc b/src/spicy/file-analyzer.cc
new file mode 100644
index 0000000000..2d3347e796
--- /dev/null
+++ b/src/spicy/file-analyzer.cc
@@ -0,0 +1,138 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "file-analyzer.h"
+
+#include <utility>
+
+#include "spicy.bif.h"
+#include "zeek/file_analysis/File.h"
+#include "zeek/spicy/manager.h"
+#include "zeek/spicy/runtime-support.h"
+
+using namespace zeek;
+using namespace zeek::spicy;
+using namespace zeek::spicy::rt;
+
+#ifdef DEBUG
+#define STATE_DEBUG_MSG(...) DebugMsg(__VA_ARGS__)
+#else
+#define STATE_DEBUG_MSG(...)
+#endif
+
+void FileState::debug(const std::string& msg) { spicy::rt::debug(_cookie, msg); }
+
+static auto create_file_state(FileAnalyzer* analyzer) {
+    uint64_t depth = 0;
+    if ( auto current_cookie = static_cast<Cookie*>(hilti::rt::context::cookie()) ) {
+        if ( const auto f = current_cookie->file )
+            depth = f->depth + 1;
+    }
+
+    cookie::FileAnalyzer cookie{.analyzer = analyzer,
+                                .depth = depth,
+                                .fstate = cookie::FileStateStack(analyzer->GetFile()->GetID())};
+    return FileState(std::move(cookie));
+}
+
+FileAnalyzer::FileAnalyzer(RecordValPtr args, file_analysis::File* file)
+    : file_analysis::Analyzer(std::move(args), file), _state(create_file_state(this)) {}
+
+FileAnalyzer::~FileAnalyzer() {}
+
+void FileAnalyzer::Init() {}
+
+void FileAnalyzer::Done() { Finish(); }
+
+bool FileAnalyzer::DeliverStream(const u_char* data, uint64_t len) {
+    file_analysis::Analyzer::DeliverStream(data, len);
+
+    return Process(len, data);
+}
+
+bool FileAnalyzer::Undelivered(uint64_t offset, uint64_t len) {
+    file_analysis::Analyzer::Undelivered(offset, len);
+
+    STATE_DEBUG_MSG("undelivered data, skipping further originator payload");
+    _state.skipRemaining();
+    return false;
+}
+
+bool FileAnalyzer::EndOfFile() {
+    file_analysis::Analyzer::EndOfFile();
+    Finish();
+    return false;
+}
+
+bool FileAnalyzer::Process(int len, const u_char* data) {
+    if ( ! _state.hasParser() && ! _state.isSkipping() ) {
+        auto parser = spicy_mgr->parserForFileAnalyzer(_state.file().analyzer->Tag());
+        if ( parser )
+            _state.setParser(parser);
+        else {
+            STATE_DEBUG_MSG("no unit specified for parsing");
+            _state.skipRemaining();
+            return false;
+        }
+    }
+
+    auto* file = _state.file().analyzer->GetFile();
+
+    const auto& max_file_depth = BifConst::Spicy::max_file_depth;
+
+    if ( _state.file().depth >= max_file_depth ) {
+        const auto& file_val = file->ToVal();
+
+        const auto analyzer_args = _state.file().analyzer->GetArgs();
+
+        file->FileEvent(Spicy::max_file_depth_exceeded, {file_val, analyzer_args, val_mgr->Count(_state.file().depth)});
+
+        auto tag = spicy_mgr->tagForFileAnalyzer(_state.file().analyzer->Tag());
+#if ZEEK_VERSION_NUMBER >= 50200
+        AnalyzerViolation("maximal file depth exceeded", reinterpret_cast<const char*>(data), len, tag);
+#else
+        // We don't have an an appropriate way to report this with older Zeeks.
+#endif
+        return false;
+    }
+
+    try {
+        hilti::rt::context::CookieSetter _(_state.cookie());
+        _state.process(len, reinterpret_cast<const char*>(data));
+    } catch ( const hilti::rt::RuntimeError& e ) {
+        STATE_DEBUG_MSG(hilti::rt::fmt("error during parsing, triggering analyzer violation: %s", e.what()));
+        auto tag = spicy_mgr->tagForFileAnalyzer(_state.file().analyzer->Tag());
+#if ZEEK_VERSION_NUMBER >= 50200
+        AnalyzerViolation(e.what(), reinterpret_cast<const char*>(data), len, tag);
+#else
+        // We don't have an an appropriate way to report this with older Zeeks.
+#endif
+    } catch ( const hilti::rt::Exception& e ) {
+        STATE_DEBUG_MSG(e.what());
+        spicy_mgr->analyzerError(_state.file().analyzer, e.description(),
+                                 e.location()); // this sets Zeek to skip sending any further input
+    }
+
+    return true;
+}
+
+void FileAnalyzer::Finish() {
+    try {
+        hilti::rt::context::CookieSetter _(_state.cookie());
+        _state.finish();
+    } catch ( const hilti::rt::RuntimeError& e ) {
+        STATE_DEBUG_MSG(hilti::rt::fmt("error during parsing, triggering analyzer violation: %s", e.what()));
+        auto tag = spicy_mgr->tagForFileAnalyzer(_state.file().analyzer->Tag());
+#if ZEEK_VERSION_NUMBER >= 50200
+        AnalyzerViolation(e.what(), "", 0, tag);
+#else
+        // We don't have an an appropriate way to report this with older Zeeks.
+#endif
+    } catch ( const hilti::rt::Exception& e ) {
+        spicy_mgr->analyzerError(_state.file().analyzer, e.description(),
+                                 e.location()); // this sets Zeek to skip sending any further input
+    }
+}
+
+file_analysis::Analyzer* FileAnalyzer::InstantiateAnalyzer(RecordValPtr args, file_analysis::File* file) {
+    return new FileAnalyzer(std::move(args), file);
+}
diff --git a/src/spicy/file-analyzer.h b/src/spicy/file-analyzer.h
new file mode 100644
index 0000000000..2bb6506a88
--- /dev/null
+++ b/src/spicy/file-analyzer.h
@@ -0,0 +1,91 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include <optional>
+#include <string>
+#include <utility>
+
+#include <hilti/rt/types/stream.h>
+
+#include <spicy/rt/driver.h>
+#include <spicy/rt/parser.h>
+
+#include "zeek/spicy/cookie.h"
+
+namespace zeek::spicy::rt {
+
+/** Parsing state for a file. */
+class FileState : public ::spicy::rt::driver::ParsingState {
+public:
+    /**
+     * Constructor.
+     *
+     * @param cookie cookie to associated with the file
+     */
+    FileState(Cookie cookie) : ParsingState(::spicy::rt::driver::ParsingType::Stream), _cookie(std::move(cookie)) {}
+
+    /** Returns the cookie pointer to use with the runtime library during analysis. */
+    auto* cookie() { return &_cookie; }
+
+    /** Returns the file-specific cookie state associated with the endpoint. */
+    auto& file() {
+        assert(_cookie.file);
+        return *_cookie.file;
+    }
+
+    /**
+     * Records a debug message pertaining to the specific file.
+     *
+     * @param msg message to record
+     */
+    void DebugMsg(const std::string& msg) { debug(msg); }
+
+protected:
+    // Overridden from driver::ParsingState.
+    void debug(const std::string& msg) override;
+
+private:
+    Cookie _cookie;
+};
+
+/** A Spicy file analyzer. */
+class FileAnalyzer : public file_analysis::Analyzer {
+public:
+    FileAnalyzer(RecordValPtr arg_args, file_analysis::File* arg_file);
+    virtual ~FileAnalyzer();
+
+    static file_analysis::Analyzer* InstantiateAnalyzer(RecordValPtr args, file_analysis::File* file);
+
+protected:
+    // Overridden from Zeek's file analyzer.
+    void Init() override;
+    void Done() override;
+    bool DeliverStream(const u_char* data, uint64_t len) override;
+    bool Undelivered(uint64_t offset, uint64_t len) override;
+    bool EndOfFile() override;
+
+    /**
+     * Feeds a chunk of data into parsing.
+     *
+     * @param len number of bytes valid in *data*
+     * @param data pointer to data
+     * @return true if processing succeeded, false if an error occurred that
+     * stopped parsing
+     */
+    bool Process(int len, const u_char* data);
+
+    /**
+     * Finalizes parsing. After calling this, no more data can be passed into
+     * Process().
+     */
+    void Finish();
+
+    /** Records a debug message. */
+    void DebugMsg(const std::string& msg) { _state.DebugMsg(msg); }
+
+private:
+    FileState _state;
+};
+
+} // namespace zeek::spicy::rt
diff --git a/src/spicy/manager.cc b/src/spicy/manager.cc
new file mode 100644
index 0000000000..4c36a8c256
--- /dev/null
+++ b/src/spicy/manager.cc
@@ -0,0 +1,930 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/spicy/manager.h"
+
+#include <dlfcn.h>
+#include <glob.h>
+
+#include <exception>
+#include <limits>
+#include <utility>
+
+#include <hilti/rt/configuration.h>
+#include <hilti/rt/filesystem.h>
+#include <hilti/rt/fmt.h>
+#include <hilti/rt/init.h>
+#include <hilti/rt/library.h>
+#include <hilti/rt/logging.h>
+#include <hilti/rt/types/vector.h>
+#include <hilti/rt/util.h>
+
+#include <spicy/rt/configuration.h>
+#include <spicy/rt/init.h>
+#include <spicy/rt/parser.h>
+
+#include <hilti/autogen/config.h>
+
+#include <zeek/analyzer/Manager.h>
+#include <zeek/file_analysis/Manager.h>
+#include <zeek/packet_analysis/Manager.h>
+
+#include "zeek/DebugLogger.h"
+#include "zeek/spicy/file-analyzer.h"
+#include "zeek/spicy/packet-analyzer.h"
+#include "zeek/spicy/protocol-analyzer.h"
+#include "zeek/zeek-config-paths.h"
+
+using namespace zeek;
+using namespace zeek::spicy;
+
+// Split an potentially scoped ID into namespace and local part.
+static std::pair<std::string, std::string> parseID(const std::string& s) {
+    if ( auto i = s.rfind("::"); i != std::string::npos )
+        return std::make_pair(s.substr(0, i), s.substr(i + 2));
+    else
+        return std::make_pair("", s);
+}
+
+Manager::~Manager() {}
+
+void Manager::registerProtocolAnalyzer(const std::string& name, hilti::rt::Protocol proto,
+                                       const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports,
+                                       const std::string& parser_orig, const std::string& parser_resp,
+                                       const std::string& replaces, const std::string& linker_scope) {
+    SPICY_DEBUG(hilti::rt::fmt("Have Spicy protocol analyzer %s", name));
+
+    ProtocolAnalyzerInfo info;
+    info.name_analyzer = name;
+    info.name_parser_orig = parser_orig;
+    info.name_parser_resp = parser_resp;
+    info.name_replaces = replaces;
+    info.name_zeek = hilti::rt::replace(name, "::", "_");
+    info.name_zeekygen = hilti::rt::fmt("<Spicy-%s>", name);
+    info.protocol = proto;
+    info.ports = ports;
+    info.linker_scope = linker_scope;
+
+    // We may have that analyzer already iff it was previously pre-registered
+    // without a linker scope. We'll then only set the scope now.
+    if ( auto t = _analyzer_name_to_tag_type.find(info.name_zeek); t != _analyzer_name_to_tag_type.end() ) {
+        SPICY_DEBUG(hilti::rt::fmt("Updating already registered protocol analyzer %s", name));
+
+        auto& existing = _protocol_analyzers_by_type.at(t->second);
+        assert(existing.name_analyzer == name);
+        existing.linker_scope = info.linker_scope;
+
+        // If the infos don't match now, we have two separate definitions.
+        if ( info != existing )
+            reporter->FatalError("redefinition of protocol analyzer %s", info.name_analyzer.c_str());
+
+        return;
+    }
+
+    analyzer::Component::factory_callback factory = nullptr;
+
+#if SPICY_VERSION_NUMBER >= 10700
+    auto proto_ = proto.value();
+#else
+    auto proto_ = proto;
+#endif
+
+    switch ( proto_ ) {
+        case hilti::rt::Protocol::TCP: factory = spicy::rt::TCP_Analyzer::InstantiateAnalyzer; break;
+        case hilti::rt::Protocol::UDP: factory = spicy::rt::UDP_Analyzer::InstantiateAnalyzer; break;
+        default: reporter->Error("unsupported protocol in analyzer"); return;
+    }
+
+    auto c = new ::zeek::analyzer::Component(info.name_zeek, factory, 0);
+    AddComponent(c);
+
+    // Hack to prevent Zeekygen from reporting the ID as not having a
+    // location during the following initialization step.
+    ::zeek::detail::zeekygen_mgr->Script(info.name_zeekygen);
+    ::zeek::detail::set_location(makeLocation(info.name_zeekygen));
+
+    // TODO: Should Zeek do this? It has run component intiialization at
+    // this point already, so ours won't get initialized anymore.
+    c->Initialize();
+
+    trackComponent(c, c->Tag().Type()); // Must come after Initialize().
+
+    info.type = c->Tag().Type();
+    _protocol_analyzers_by_type.resize(info.type + 1);
+    _protocol_analyzers_by_type[info.type] = info;
+}
+
+void Manager::registerFileAnalyzer(const std::string& name, const hilti::rt::Vector<std::string>& mime_types,
+                                   const std::string& parser, const std::string& replaces,
+                                   const std::string& linker_scope) {
+    SPICY_DEBUG(hilti::rt::fmt("Have Spicy file analyzer %s", name));
+
+    FileAnalyzerInfo info;
+    info.name_analyzer = name;
+    info.name_parser = parser;
+    info.name_replaces = replaces;
+    info.name_zeek = hilti::rt::replace(name, "::", "_");
+    info.name_zeekygen = hilti::rt::fmt("<Spicy-%s>", name);
+    info.mime_types = mime_types;
+    info.linker_scope = linker_scope;
+
+    // We may have that analyzer already iff it was previously pre-registered
+    // without a linker scope. We'll then only set the scope now.
+    if ( auto t = _analyzer_name_to_tag_type.find(info.name_zeek); t != _analyzer_name_to_tag_type.end() ) {
+        SPICY_DEBUG(hilti::rt::fmt("Updating already registered packet analyzer %s", name));
+
+        auto& existing = _file_analyzers_by_type.at(t->second);
+        existing.linker_scope = info.linker_scope;
+
+        // If the infos don't match now, we have two separate definitions.
+        if ( info != existing )
+            reporter->FatalError("redefinition of file analyzer %s", info.name_analyzer.c_str());
+
+        return;
+    }
+
+    auto c = new ::zeek::file_analysis::Component(info.name_zeek, spicy::rt::FileAnalyzer::InstantiateAnalyzer, 0);
+    AddComponent(c);
+
+    // Hack to prevent Zeekygen from reporting the ID as not having a
+    // location during the following initialization step.
+    ::zeek::detail::zeekygen_mgr->Script(info.name_zeekygen);
+    ::zeek::detail::set_location(makeLocation(info.name_zeekygen));
+
+    // TODO: Should Zeek do this? It has run component intiialization at
+    // this point already, so ours won't get initialized anymore.
+    c->Initialize();
+
+    trackComponent(c, c->Tag().Type()); // Must come after Initialize().
+
+    info.type = c->Tag().Type();
+    _file_analyzers_by_type.resize(info.type + 1);
+    _file_analyzers_by_type[info.type] = info;
+}
+
+void Manager::registerPacketAnalyzer(const std::string& name, const std::string& parser, const std::string& replaces,
+                                     const std::string& linker_scope) {
+    SPICY_DEBUG(hilti::rt::fmt("Have Spicy packet analyzer %s", name));
+
+    PacketAnalyzerInfo info;
+    info.name_analyzer = name;
+    info.name_replaces = replaces;
+    info.name_parser = parser;
+    info.name_zeek = hilti::rt::replace(name, "::", "_");
+    info.name_zeekygen = hilti::rt::fmt("<Spicy-%s>", info.name_zeek);
+    info.linker_scope = linker_scope;
+
+    // We may have that analyzer already iff it was previously pre-registered
+    // without a linker scope. We'll then set the scope now.
+    if ( auto t = _analyzer_name_to_tag_type.find(info.name_zeek); t != _analyzer_name_to_tag_type.end() ) {
+        SPICY_DEBUG(hilti::rt::fmt("Updating already registered packet analyzer %s", name));
+
+        auto& existing = _packet_analyzers_by_type.at(t->second);
+        assert(existing.name_analyzer == name);
+        existing.linker_scope = info.linker_scope;
+
+        // If the infos don't match now, we have two separate definitions.
+        if ( info != existing )
+            reporter->FatalError("redefinition of packet analyzer %s", info.name_analyzer.c_str());
+
+        return;
+    }
+
+    auto instantiate = [info]() -> packet_analysis::AnalyzerPtr {
+        return spicy::rt::PacketAnalyzer::Instantiate(info.name_zeek);
+    };
+
+    auto c = new ::zeek::packet_analysis::Component(info.name_zeek, instantiate, 0);
+    AddComponent(c);
+
+    // Hack to prevent Zeekygen from reporting the ID as not having a
+    // location during the following initialization step.
+    ::zeek::detail::zeekygen_mgr->Script(info.name_zeekygen);
+    ::zeek::detail::set_location(makeLocation(info.name_zeekygen));
+
+    // TODO: Should Zeek do this? It has run component intialization at
+    // this point already, so ours won't get initialized anymore.
+    c->Initialize();
+
+    trackComponent(c, c->Tag().Type()); // Must come after Initialize().
+
+    info.type = c->Tag().Type();
+    _packet_analyzers_by_type.resize(info.type + 1);
+    _packet_analyzers_by_type[info.type] = info;
+}
+
+void Manager::registerType(const std::string& id, const TypePtr& type) {
+    auto [ns, local] = parseID(id);
+
+    if ( const auto& old = detail::lookup_ID(local.c_str(), ns.c_str()) ) {
+        // This is most likely to trigger for IDs that other Spicy modules
+        // register. If we two Spicy modules need the same type, that's ok as
+        // long as they match.
+        if ( ! old->IsType() ) {
+            reporter->Error("Zeek type registration failed for '%s': ID already exists, but is not a type", id.c_str());
+            return;
+        }
+
+        if ( ! zeek::same_type(type, old->GetType()) ) {
+            reporter->Error("Zeek type registration failed for '%s': Type already exists, but differs", id.c_str());
+        }
+
+        SPICY_DEBUG(hilti::rt::fmt("Not re-registering Zeek type %s: identical type already exists", id));
+        return;
+    }
+
+    SPICY_DEBUG(hilti::rt::fmt("Registering Zeek type %s", id));
+    auto zeek_id = detail::install_ID(local.c_str(), ns.c_str(), true, true);
+    zeek_id->SetType(type);
+    zeek_id->MakeType();
+    AddBifItem(id, ::zeek::plugin::BifItem::TYPE);
+}
+
+TypePtr Manager::findType(const std::string& id) const {
+    auto [ns, local] = parseID(id);
+
+    auto zid = detail::lookup_ID(local.c_str(), ns.c_str());
+    if ( ! zid )
+        return nullptr;
+
+    if ( ! zid->IsType() )
+        return nullptr;
+
+    return zid->GetType();
+}
+
+void Manager::registerEvent(const std::string& name) {
+    // Create a Zeek handler for the event.
+    event_registry->Register(name);
+
+    // Install the ID into the corresponding namespace and export it.
+    auto n = ::hilti::rt::split(name, "::");
+    std::string mod;
+
+    if ( n.size() > 1 )
+        mod = n.front();
+    else
+        mod = detail::GLOBAL_MODULE_NAME;
+
+    if ( auto id = detail::lookup_ID(name.c_str(), mod.c_str(), false, false, false) ) {
+        // Auto-export IDs that already exist.
+        id->SetExport();
+        _events[name] = id;
+    }
+    else
+        // This installs & exports the ID, but it doesn't set its type yet.
+        // That will happen as handlers get defined. If there are no handlers,
+        // we set a dummy type in the plugin's InitPostScript
+        _events[name] = detail::install_ID(name.c_str(), mod.c_str(), false, true);
+}
+
+const ::spicy::rt::Parser* Manager::parserForProtocolAnalyzer(const Tag& tag, bool is_orig) {
+    if ( is_orig )
+        return _protocol_analyzers_by_type[tag.Type()].parser_orig;
+    else
+        return _protocol_analyzers_by_type[tag.Type()].parser_resp;
+}
+
+const ::spicy::rt::Parser* Manager::parserForFileAnalyzer(const Tag& tag) {
+    return _file_analyzers_by_type[tag.Type()].parser;
+}
+
+const ::spicy::rt::Parser* Manager::parserForPacketAnalyzer(const Tag& tag) {
+    return _packet_analyzers_by_type[tag.Type()].parser;
+}
+
+Tag Manager::tagForProtocolAnalyzer(const Tag& tag) {
+    if ( auto r = _protocol_analyzers_by_type[tag.Type()].replaces )
+        return r;
+    else
+        return tag;
+}
+
+Tag Manager::tagForFileAnalyzer(const Tag& tag) {
+    if ( auto r = _file_analyzers_by_type[tag.Type()].replaces )
+        return r;
+    else
+        return tag;
+}
+
+Tag Manager::tagForPacketAnalyzer(const Tag& tag) {
+    if ( auto r = _packet_analyzers_by_type[tag.Type()].replaces )
+        return r;
+    else
+        return tag;
+}
+
+bool Manager::toggleProtocolAnalyzer(const Tag& tag, bool enable) {
+    auto type = tag.Type();
+
+    if ( type >= _protocol_analyzers_by_type.size() )
+        return false;
+
+    const auto& analyzer = _protocol_analyzers_by_type[type];
+
+    if ( ! analyzer.type )
+        // not set -> not ours
+        return false;
+
+    if ( enable ) {
+        SPICY_DEBUG(hilti::rt::fmt("Enabling Spicy protocol analyzer %s", analyzer.name_analyzer));
+        analyzer_mgr->EnableAnalyzer(tag);
+
+        if ( analyzer.replaces ) {
+            SPICY_DEBUG(hilti::rt::fmt("Disabling standard protocol analyzer %s", analyzer.name_analyzer));
+            analyzer_mgr->DisableAnalyzer(analyzer.replaces);
+        }
+    }
+    else {
+        SPICY_DEBUG(hilti::rt::fmt("Disabling Spicy protocol analyzer %s", analyzer.name_analyzer));
+        analyzer_mgr->DisableAnalyzer(tag);
+
+        if ( analyzer.replaces ) {
+            SPICY_DEBUG(hilti::rt::fmt("Re-enabling standard protocol analyzer %s", analyzer.name_analyzer));
+            analyzer_mgr->EnableAnalyzer(analyzer.replaces);
+        }
+    }
+
+    return true;
+}
+
+bool Manager::toggleFileAnalyzer(const Tag& tag, bool enable) {
+    auto type = tag.Type();
+
+    if ( type >= _file_analyzers_by_type.size() )
+        return false;
+
+    const auto& analyzer = _file_analyzers_by_type[type];
+
+    if ( ! analyzer.type )
+        // not set -> not ours
+        return false;
+
+    file_analysis::Component* component = file_mgr->Lookup(tag);
+    file_analysis::Component* component_replaces = analyzer.replaces ? file_mgr->Lookup(analyzer.replaces) : nullptr;
+
+    if ( ! component ) {
+        // Shouldn't really happen.
+        reporter->InternalError("failed to lookup file analyzer component");
+        return false;
+    }
+
+    if ( enable ) {
+        SPICY_DEBUG(hilti::rt::fmt("Enabling Spicy file analyzer %s", analyzer.name_analyzer));
+        component->SetEnabled(true);
+
+        if ( component_replaces ) {
+            SPICY_DEBUG(hilti::rt::fmt("Disabling standard file analyzer %s", analyzer.name_analyzer));
+            component_replaces->SetEnabled(false);
+        }
+    }
+    else {
+        SPICY_DEBUG(hilti::rt::fmt("Disabling Spicy file analyzer %s", analyzer.name_analyzer));
+        component->SetEnabled(false);
+
+        if ( component_replaces ) {
+            SPICY_DEBUG(hilti::rt::fmt("Enabling standard file analyzer %s", analyzer.name_analyzer));
+            component_replaces->SetEnabled(true);
+        }
+    }
+
+    return true;
+}
+
+bool Manager::togglePacketAnalyzer(const Tag& tag, bool enable) {
+    auto type = tag.Type();
+
+    if ( type >= _packet_analyzers_by_type.size() )
+        return false;
+
+    const auto& analyzer = _packet_analyzers_by_type[type];
+
+    if ( ! analyzer.type )
+        // not set -> not ours
+        return false;
+
+    packet_analysis::Component* component = packet_mgr->Lookup(tag);
+    packet_analysis::Component* component_replaces =
+        analyzer.replaces ? packet_mgr->Lookup(analyzer.replaces) : nullptr;
+
+    if ( ! component ) {
+        // Shouldn't really happen.
+        reporter->InternalError("failed to lookup packet analyzer component");
+        return false;
+    }
+
+    if ( enable ) {
+        SPICY_DEBUG(hilti::rt::fmt("Enabling Spicy packet analyzer %s", analyzer.name_analyzer));
+        component->SetEnabled(true);
+
+        if ( component_replaces ) {
+            SPICY_DEBUG(hilti::rt::fmt("Disabling standard packet analyzer %s", analyzer.name_analyzer));
+            component_replaces->SetEnabled(false);
+        }
+    }
+    else {
+        SPICY_DEBUG(hilti::rt::fmt("Disabling Spicy packet analyzer %s", analyzer.name_analyzer));
+        component->SetEnabled(false);
+
+        if ( component_replaces ) {
+            SPICY_DEBUG(hilti::rt::fmt("Enabling standard packet analyzer %s", analyzer.name_analyzer));
+            component_replaces->SetEnabled(true);
+        }
+    }
+
+    return true;
+}
+
+bool Manager::toggleAnalyzer(EnumVal* tag, bool enable) {
+    if ( tag->GetType() == analyzer_mgr->GetTagType() ) {
+        if ( auto analyzer = analyzer_mgr->Lookup(tag) )
+            return toggleProtocolAnalyzer(analyzer->Tag(), enable);
+        else
+            return false;
+    }
+
+    if ( tag->GetType() == file_mgr->GetTagType() ) {
+        if ( auto analyzer = file_mgr->Lookup(tag) )
+            return toggleFileAnalyzer(analyzer->Tag(), enable);
+        else
+            return false;
+    }
+
+    if ( tag->GetType() == packet_mgr->GetTagType() ) {
+        if ( auto analyzer = packet_mgr->Lookup(tag) )
+            return togglePacketAnalyzer(analyzer->Tag(), enable);
+        else
+            return false;
+    }
+
+    return false;
+}
+
+static std::unique_ptr<detail::Location> _makeLocation(const std::string& location) {
+    static std::set<std::string> filenames; // see comment below in parse_location
+
+    auto parse_location = [](const auto& s) -> std::unique_ptr<detail::Location> {
+        // This is not so great; In the HILTI runtome we pass locations
+        // around as string. To pass them to Zeek, we need to unsplit the
+        // strings into file name and line number. Zeek also won't clean up
+        // the file names, so we need to track them ourselves.
+        auto x = hilti::rt::split(s, ":");
+        if ( x[0].empty() )
+            return nullptr;
+
+        auto loc = std::make_unique<detail::Location>();
+        loc->filename = filenames.insert(std::string(x[0])).first->c_str(); // we retain ownership
+
+        if ( x.size() >= 2 ) {
+            auto y = hilti::rt::split(x[1], "-");
+            if ( y.size() >= 2 ) {
+                loc->first_line = std::stoi(std::string(y[0]));
+                loc->last_line = std::stoi(std::string(y[1]));
+            }
+            else if ( y[0].size() )
+                loc->first_line = loc->last_line = std::stoi(std::string(y[0]));
+        }
+
+        return loc;
+    };
+
+    if ( location.size() )
+        return parse_location(location);
+    else if ( auto hilti_location = hilti::rt::debug::location() )
+        return parse_location(hilti_location);
+    else
+        return nullptr;
+}
+
+void Manager::analyzerError(analyzer::Analyzer* a, const std::string& msg, const std::string& location) {
+    auto zeek_location = _makeLocation(location);
+    reporter->PushLocation(zeek_location.get());
+    reporter->AnalyzerError(a, "%s", msg.c_str());
+    reporter->PopLocation();
+}
+
+void Manager::analyzerError(file_analysis::Analyzer* a, const std::string& msg, const std::string& location) {
+    auto zeek_location = _makeLocation(location);
+    reporter->PushLocation(zeek_location.get());
+
+    // We don't have an reporter error for file analyzers, so we log this as a
+    // weird instead.
+    if ( a && a->GetFile() )
+        reporter->Weird(a->GetFile(), "file_error", msg.c_str());
+    else
+        reporter->Weird("file_error", msg.c_str());
+
+    reporter->PopLocation();
+
+    if ( a )
+        a->SetSkip(1); // Imitate what AnalyzerError() does for protocol analyzers.
+}
+
+void Manager::analyzerError(packet_analysis::Analyzer* a, const std::string& msg, const std::string& location) {
+    auto zeek_location = _makeLocation(location);
+    reporter->PushLocation(zeek_location.get());
+    // We don't have an reporter error for packet analyzers, so we log
+    // this as a weird instead.
+    reporter->Weird("packet_error", msg.c_str());
+    reporter->PopLocation();
+}
+
+plugin::Configuration Manager::Configure() {
+    ::zeek::plugin::Configuration config;
+    config.name = "Zeek::Spicy";
+    config.description = "Support for Spicy parsers (*.hlto)";
+
+    EnableHook(::zeek::plugin::HOOK_LOAD_FILE);
+
+    return config;
+}
+
+void Manager::InitPreScript() {
+    SPICY_DEBUG("Beginning pre-script initialization");
+
+#if SPICY_VERSION_NUMBER >= 10700
+    hilti::rt::executeManualPreInits();
+#endif
+
+    autoDiscoverModules();
+
+    SPICY_DEBUG("Done with pre-script initialization");
+}
+
+// Returns a port's Zeek-side transport protocol.
+static ::TransportProto transport_protocol(const hilti::rt::Port port) {
+#if SPICY_VERSION_NUMBER >= 10700
+    auto proto = port.protocol().value();
+#else
+    auto proto = port.protocol();
+#endif
+
+    switch ( proto ) {
+        case hilti::rt::Protocol::TCP: return ::TransportProto::TRANSPORT_TCP;
+        case hilti::rt::Protocol::UDP: return ::TransportProto::TRANSPORT_UDP;
+        case hilti::rt::Protocol::ICMP: return ::TransportProto::TRANSPORT_ICMP;
+        default:
+            reporter->InternalError("unsupported transport protocol in port '%s' for Zeek conversion",
+                                    std::string(port).c_str());
+            return ::TransportProto::TRANSPORT_UNKNOWN;
+    }
+}
+
+static void hook_accept_input() {
+    auto cookie = static_cast<rt::Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto x = cookie->protocol ) {
+        auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag());
+        SPICY_DEBUG(hilti::rt::fmt("confirming protocol %s", tag.AsString()));
+        return x->analyzer->AnalyzerConfirmation(tag);
+    }
+}
+
+static void hook_decline_input(const std::string& reason) {
+    auto cookie = static_cast<rt::Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto x = cookie->protocol ) {
+        auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag());
+        SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s", tag.AsString()));
+        return x->analyzer->AnalyzerViolation("protocol rejected", nullptr, 0, tag);
+    }
+}
+
+void Manager::InitPostScript() {
+    SPICY_DEBUG("Beginning post-script initialization");
+
+    disableReplacedAnalyzers();
+
+    // If there's no handler for one of our events, it won't have received a
+    // type. Give it a dummy event type in that case, so that we don't walk
+    // around with a nullptr.
+    for ( const auto& [name, id] : _events ) {
+        if ( ! id->GetType() ) {
+            auto args = make_intrusive<RecordType>(new type_decl_list());
+            auto et = make_intrusive<FuncType>(std::move(args), base_type(TYPE_VOID), FUNC_FLAVOR_EVENT);
+            id->SetType(std::move(et));
+        }
+    }
+
+    // Init runtime, which will trigger all initialization code to execute.
+    SPICY_DEBUG("Initializing Spicy runtime");
+
+    auto hilti_config = hilti::rt::configuration::get();
+
+    if ( id::find_const("Spicy::enable_print")->AsBool() ) // NOLINT(clang-analyzer-cplusplus.NewDeleteLeaks)
+        hilti_config.cout = std::cout;
+    else
+        hilti_config.cout.reset();
+
+    if ( id::find_const("Spicy::enable_profiling")->AsBool() )
+#if SPICY_VERSION_NUMBER >= 10800
+        hilti_config.enable_profiling = true;
+#else
+        std::cerr << "Profiling is not supported with this version of Spicy, ignoring "
+                     "'Spicy::enable_profiling'\n";
+#endif
+
+    hilti_config.abort_on_exceptions = id::find_const("Spicy::abort_on_exceptions")->AsBool();
+    hilti_config.show_backtraces = id::find_const("Spicy::show_backtraces")->AsBool();
+
+    hilti::rt::configuration::set(hilti_config);
+
+#if SPICY_VERSION_NUMBER >= 10700
+    auto spicy_config = ::spicy::rt::configuration::get();
+    spicy_config.hook_accept_input = hook_accept_input;
+    spicy_config.hook_decline_input = hook_decline_input;
+    ::spicy::rt::configuration::set(std::move(spicy_config));
+#endif
+
+    try {
+        ::hilti::rt::init();
+        ::spicy::rt::init();
+    } catch ( const hilti::rt::Exception& e ) {
+        std::cerr << hilti::rt::fmt("uncaught runtime exception %s during initialization: %s",
+                                    hilti::rt::demangle(typeid(e).name()), e.what())
+                  << std::endl;
+        exit(1);
+    } catch ( const std::runtime_error& e ) {
+        std::cerr << hilti::rt::fmt("uncaught C++ exception %s during initialization: %s",
+                                    hilti::rt::demangle(typeid(e).name()), e.what())
+                  << std::endl;
+        exit(1);
+    }
+
+    // Fill in the parser information now that we derived from the ASTs.
+    auto find_parser = [](const std::string& analyzer, const std::string& parser,
+                          const std::string& linker_scope) -> const ::spicy::rt::Parser* {
+        if ( parser.empty() )
+            return nullptr;
+
+        for ( auto p : ::spicy::rt::parsers() ) {
+            if ( p->name == parser && p->linker_scope == linker_scope )
+                return p;
+        }
+
+        reporter->InternalError("Unknown Spicy parser '%s' requested by analyzer '%s'", parser.c_str(),
+                                analyzer.c_str());
+
+        return nullptr; // cannot be reached
+    };
+
+    for ( auto& p : _protocol_analyzers_by_type ) {
+        if ( p.type == 0 )
+            // vector element not set
+            continue;
+
+        SPICY_DEBUG(hilti::rt::fmt("Registering %s protocol analyzer %s with Zeek", p.protocol, p.name_analyzer));
+
+        p.parser_orig = find_parser(p.name_analyzer, p.name_parser_orig, p.linker_scope);
+        p.parser_resp = find_parser(p.name_analyzer, p.name_parser_resp, p.linker_scope);
+
+        // Register analyzer for its well-known ports.
+        auto tag = analyzer_mgr->GetAnalyzerTag(p.name_zeek.c_str());
+        if ( ! tag )
+            reporter->InternalError("cannot get analyzer tag for '%s'", p.name_analyzer.c_str());
+
+        for ( const auto& ports : p.ports ) {
+            const auto proto = ports.begin.protocol();
+
+            // Port ranges are closed intervals.
+            for ( auto port = ports.begin.port(); port <= ports.end.port(); ++port ) {
+                const auto port_ = hilti::rt::Port(port, proto);
+                SPICY_DEBUG(hilti::rt::fmt("  Scheduling analyzer for port %s", port_));
+                analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port_), port);
+
+                // Explicitly prevent overflow.
+                if ( port == std::numeric_limits<decltype(port)>::max() )
+                    break;
+            }
+        }
+
+        if ( p.parser_resp ) {
+            for ( auto port : p.parser_resp->ports ) {
+                if ( port.direction != ::spicy::rt::Direction::Both &&
+                     port.direction != ::spicy::rt::Direction::Responder )
+                    continue;
+
+                SPICY_DEBUG(hilti::rt::fmt("  Scheduling analyzer for port %s", port.port));
+                analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port.port), port.port.port());
+            }
+        }
+    }
+
+    for ( auto& p : _file_analyzers_by_type ) {
+        if ( p.type == 0 )
+            // vector element not set
+            continue;
+
+        SPICY_DEBUG(hilti::rt::fmt("Registering file analyzer %s with Zeek", p.name_analyzer.c_str()));
+
+        p.parser = find_parser(p.name_analyzer, p.name_parser, p.linker_scope);
+
+        // Register analyzer for its MIME types.
+        auto tag = file_mgr->GetComponentTag(p.name_zeek.c_str());
+        if ( ! tag )
+            reporter->InternalError("cannot get analyzer tag for '%s'", p.name_analyzer.c_str());
+
+        auto register_analyzer_for_mime_type = [&](auto tag, const std::string& mt) {
+            SPICY_DEBUG(hilti::rt::fmt("  Scheduling analyzer for MIME type %s", mt));
+
+            // MIME types are registered in scriptland, so we'll raise an
+            // event that will do it for us through a predefined handler.
+            zeek::Args vals = Args();
+            vals.emplace_back(tag.AsVal());
+            vals.emplace_back(make_intrusive<StringVal>(mt));
+            EventHandlerPtr handler = event_registry->Register("spicy_analyzer_for_mime_type");
+            event_mgr.Enqueue(handler, vals);
+        };
+
+        for ( const auto& mt : p.mime_types )
+            register_analyzer_for_mime_type(tag, mt);
+
+        if ( p.parser ) {
+            for ( const auto& mt : p.parser->mime_types )
+                register_analyzer_for_mime_type(tag, mt);
+        }
+    }
+
+    for ( auto& p : _packet_analyzers_by_type ) {
+        if ( p.type == 0 )
+            // vector element not set
+            continue;
+
+        SPICY_DEBUG(hilti::rt::fmt("Registering packet analyzer %s with Zeek", p.name_analyzer.c_str()));
+        p.parser = find_parser(p.name_analyzer, p.name_parser, p.linker_scope);
+    }
+
+    SPICY_DEBUG("Done with post-script initialization");
+}
+
+void Manager::Done() {
+    SPICY_DEBUG("Shutting down Spicy runtime");
+    ::spicy::rt::done();
+    hilti::rt::done();
+}
+
+void Manager::loadModule(const hilti::rt::filesystem::path& path) {
+    try {
+        // If our auto discovery ends up finding the same module multiple times,
+        // we ignore subsequent requests.
+        std::error_code ec;
+        auto canonical_path = hilti::rt::filesystem::canonical(path, ec);
+        if ( ec )
+            hilti::rt::fatalError(hilti::rt::fmt("could not compute canonical path for %s: %s", path, ec.message()));
+
+        if ( auto [library, inserted] = _libraries.insert({canonical_path, hilti::rt::Library(canonical_path)});
+             inserted ) {
+            SPICY_DEBUG(hilti::rt::fmt("Loading %s", canonical_path.native()));
+            if ( auto load = library->second.open(); ! load )
+                hilti::rt::fatalError(
+                    hilti::rt::fmt("could not open library path %s: %s", canonical_path, load.error()));
+        }
+        else {
+            SPICY_DEBUG(hilti::rt::fmt("Ignoring duplicate loading request for %s", canonical_path.native()));
+        }
+#if SPICY_VERSION_NUMBER >= 10700
+    } catch ( const ::hilti::rt::UsageError& e ) {
+#else
+    } catch ( const ::hilti::rt::UserException& e ) {
+#endif
+        hilti::rt::fatalError(e.what());
+    }
+}
+
+int Manager::HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved) {
+    auto ext = hilti::rt::filesystem::path(file).extension();
+
+    if ( ext == ".hlto" ) {
+        loadModule(file);
+        return 1;
+    }
+
+    if ( ext == ".spicy" || ext == ".evt" || ext == ".hlt" )
+        reporter->FatalError("cannot load '%s': analyzers need to be precompiled with 'spicyz' ", file.c_str());
+
+    return -1;
+}
+
+void Manager::searchModules(const std::string& paths) {
+    for ( const auto& dir : hilti::rt::split(paths, ":") ) {
+        auto trimmed_dir = hilti::rt::trim(dir);
+        if ( trimmed_dir.empty() )
+            continue;
+
+        std::error_code ec;
+        if ( auto is_directory = hilti::rt::filesystem::is_directory(trimmed_dir, ec); ec || ! is_directory ) {
+            SPICY_DEBUG(hilti::rt::fmt("Module directory %s cannot be read, skipping", trimmed_dir));
+            continue;
+        }
+
+        SPICY_DEBUG(hilti::rt::fmt("Searching %s for *.hlto", trimmed_dir));
+
+        auto it = hilti::rt::filesystem::recursive_directory_iterator(trimmed_dir, ec);
+        if ( ! ec ) {
+            while ( it != hilti::rt::filesystem::recursive_directory_iterator() ) {
+                if ( it->is_regular_file() && it->path().extension() == ".hlto" )
+                    loadModule(it->path());
+
+                if ( it.increment(ec); ec ) {
+                    hilti::rt::warning(hilti::rt::fmt("Error iterating over %s, skipping any remaining files: %s",
+                                                      trimmed_dir, ec.message()));
+                    break;
+                }
+            }
+        }
+        else
+            hilti::rt::warning(hilti::rt::fmt("Cannot iterate over %s, skipping: %s", trimmed_dir, ec.message()));
+    }
+};
+
+detail::Location Manager::makeLocation(const std::string& fname) {
+    auto x = _locations.insert(fname);
+    return detail::Location(x.first->c_str(), 0, 0, 0, 0);
+}
+
+void Manager::autoDiscoverModules() {
+    // Always search Zeek's plugin path for modules, that's where zkg puts
+    // them.
+    searchModules(util::zeek_plugin_path());
+
+    if ( auto search_paths = hilti::rt::getenv("ZEEK_SPICY_MODULE_PATH"); search_paths && search_paths->size() )
+        // This overrides all other paths.
+        searchModules(*search_paths);
+    else
+        searchModules(ZEEK_SPICY_MODULE_PATH);
+}
+
+void Manager::disableReplacedAnalyzers() {
+    for ( auto& info : _protocol_analyzers_by_type ) {
+        if ( info.name_replaces.empty() )
+            continue;
+
+        auto replaces = info.name_replaces.c_str();
+
+        if ( file_mgr->Lookup(replaces) || packet_mgr->Lookup(replaces) )
+            reporter->FatalError("cannot replace '%s' analyzer with a protocol analyzer", replaces);
+
+        auto tag = analyzer_mgr->GetAnalyzerTag(replaces);
+        if ( ! tag ) {
+            SPICY_DEBUG(hilti::rt::fmt("%s is supposed to replace protocol analyzer %s, but that does not exist",
+                                       info.name_analyzer, replaces));
+
+            continue;
+        }
+
+        SPICY_DEBUG(hilti::rt::fmt("%s replaces existing protocol analyzer %s", info.name_analyzer, replaces));
+        info.replaces = tag;
+        analyzer_mgr->DisableAnalyzer(tag);
+    }
+
+    for ( auto& info : _file_analyzers_by_type ) {
+        if ( info.name_replaces.empty() )
+            continue;
+
+        auto replaces = info.name_replaces.c_str();
+
+        if ( analyzer_mgr->Lookup(replaces) || packet_mgr->Lookup(replaces) )
+            reporter->FatalError("cannot replace '%s' analyzer with a file analyzer", replaces);
+
+        auto component = file_mgr->Lookup(replaces);
+        if ( ! component ) {
+            SPICY_DEBUG(hilti::rt::fmt("%s is supposed to replace file analyzer %s, but that does not exist",
+                                       info.name_analyzer, replaces));
+
+            continue;
+        }
+
+        SPICY_DEBUG(hilti::rt::fmt("%s replaces existing file analyzer %s", info.name_analyzer, replaces));
+        info.replaces = component->Tag();
+        component->SetEnabled(false);
+    }
+
+    for ( auto& info : _packet_analyzers_by_type ) {
+        if ( info.name_replaces.empty() )
+            continue;
+
+        auto replaces = info.name_replaces.c_str();
+
+        auto component = packet_mgr->Lookup(replaces);
+        if ( ! component ) {
+            SPICY_DEBUG(hilti::rt::fmt("%s is supposed to replace packet analyzer %s, but that does not exist",
+                                       info.name_analyzer, replaces));
+
+            continue;
+        }
+
+        SPICY_DEBUG(hilti::rt::fmt("%s replaces existing packet analyzer %s", info.name_analyzer, replaces));
+        info.replaces = component->Tag();
+        component->SetEnabled(false);
+    }
+}
+
+void Manager::trackComponent(plugin::Component* c, int32_t tag_type) {
+    auto i = _analyzer_name_to_tag_type.insert({c->Name(), tag_type});
+    if ( ! i.second )
+        // We enforce on our end that an analyzer name can appear only once
+        // across all types of analyzers. Makes things easier and avoids
+        // confusion.
+        reporter->FatalError("duplicate analyzer name '%s'", c->Name().c_str());
+}
diff --git a/src/spicy/manager.h b/src/spicy/manager.h
new file mode 100644
index 0000000000..2233d1918e
--- /dev/null
+++ b/src/spicy/manager.h
@@ -0,0 +1,415 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include <memory>
+#include <set>
+#include <string>
+#include <tuple>
+#include <unordered_map>
+#include <vector>
+
+#include <hilti/rt/library.h>
+#include <hilti/rt/logging.h>
+#include <hilti/rt/types/port.h>
+
+#include "zeek/Scope.h"
+#include "zeek/Tag.h"
+#include "zeek/plugin/Component.h"
+#include "zeek/plugin/Plugin.h"
+#include "zeek/spicy/port-range.h"
+#include "zeek/spicy/spicyz/config.h" // include for Spicy version
+
+// Macro helper to report Spicy debug messages. This forwards to
+// to both the Zeek logger and the Spicy runtime logger.
+#define SPICY_DEBUG(msg) ::zeek::spicy::log(msg);
+
+namespace hilti::rt {
+class Port;
+struct Protocol;
+} // namespace hilti::rt
+
+namespace spicy::rt {
+struct Parser;
+}
+
+namespace zeek {
+
+namespace analyzer {
+class Analyzer;
+}
+
+namespace file_analysis {
+class Analyzer;
+}
+
+namespace packet_analysis {
+class Analyzer;
+}
+
+namespace spicy {
+
+// Backend to log debug messages.
+inline void log(const std::string& msg) {
+    DBG_LOG(DBG_SPICY, "%s", msg.c_str());
+
+    if ( hilti::rt::isInitialized() )
+        HILTI_RT_DEBUG("zeek", msg);
+}
+
+
+/* Top-level entry point for Spicy functionality. */
+class Manager : public zeek::plugin::Plugin {
+public:
+    Manager() {}
+    virtual ~Manager();
+
+    /**
+     * Runtime method to register a protocol analyzer with its Zeek-side
+     * configuration. This is called at startup by generated Spicy code for
+     * each protocol analyzer defined in an EVT file.
+     *
+     * @param name name of the analyzer as defined in its EVT file
+     * @param proto analyzer's transport-layer protocol
+     * @param prts well-known ports for the analyzer; it'll be activated automatically for these
+     * @param parser_orig name of the Spicy parser for the originator side; must match the name that
+     * Spicy registers the unit's parser with
+     * @param parser_resp name of the Spicy parser for the originator side; must match the name that
+     * Spicy registers the unit's parser with
+     * @param replaces optional name of existing Zeek analyzer that this one replaces; the Zeek
+     * analyzer will automatically be disabled
+     * @param linker_scope scope of current HLTO file, which will restrict visibility of the
+     * registration
+     */
+    void registerProtocolAnalyzer(const std::string& name, hilti::rt::Protocol proto,
+                                  const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports,
+                                  const std::string& parser_orig, const std::string& parser_resp,
+                                  const std::string& replaces, const std::string& linker_scope);
+
+    /**
+     * Runtime method to register a file analyzer with its Zeek-side
+     * configuration. This is called at startup by generated Spicy code for
+     * each file analyzer defined in an EVT file
+     *
+     * @param name name of the analyzer as defined in its EVT file
+     * @param mime_types list of MIME types the analyzer handles; it'll be automatically used for
+     * all files of matching types
+     * @param parser name of the Spicy parser for parsing the file; must match the name that Spicy
+     * registers the unit's parser with
+     * @param replaces optional name of existing Zeek analyzer that this one replaces; the Zeek
+     * analyzer will automatically be disabled
+     * @param linker_scope scope of current HLTO file, which will restrict visibility of the
+     * registration
+     */
+    void registerFileAnalyzer(const std::string& name, const hilti::rt::Vector<std::string>& mime_types,
+                              const std::string& parser, const std::string& replaces, const std::string& linker_scope);
+
+    /**
+     * Runtime method to register a packet analyzer with its Zeek-side
+     * configuration. This is called at startup by generated Spicy code for
+     * each packet analyzer defined in an EVT file.
+     *
+     * @param name name of the analyzer as defined in its EVT file
+     * @param parser name of the Spicy parser for parsing the packet; must
+     * match the name that Spicy registers the unit's
+     * parser with.
+     * @param replaces optional name of existing Zeek analyzer that this one
+     * replaces; the Zeek analyzer will automatically be disabled
+     * @param linker_scope scope of current HLTO file, which will restrict visibility of the
+     * registration
+     */
+    void registerPacketAnalyzer(const std::string& name, const std::string& parser, const std::string& replaces,
+                                const std::string& linker_scope);
+
+    /**
+     * Runtime method to register a Spicy-generated type with Zeek. The type
+     * must have been encountered during AST traversal already, so that its ID
+     * is known. The corresponding Zeek type will be created and registered with Zeek.
+     *
+     * @param id fully-qualified ID of the type
+     * @return error if the type could not be registered
+     */
+    hilti::rt::Result<hilti::rt::Nothing> registerType(const std::string& id);
+
+    /**
+     * Runtime method to register an already converted Spicy-generated type
+     * with Zeek.
+     *
+     * @param id fully-qualified ID of the type
+     * @param type Zeek-side type to register
+     */
+    void registerType(const std::string& id, const TypePtr& type);
+
+    /**
+     * Looks up a global type by its ID with Zeek.
+     *
+     * @param id fully-qualified Zeek-side ID of the type
+     * @return Zeek-side type, or null if not found
+     */
+    TypePtr findType(const std::string& id) const;
+
+    /**
+     * Runtime method to register a Spicy-generated event. The installs the ID
+     * Zeek-side and is called at startup by generated Spicy code for each
+     * event defined in an EVT file.
+     *
+     * @param name fully scoped name of the event
+     */
+    void registerEvent(const std::string& name);
+
+    /**
+     * Runtime method to retrieve the Spicy parser for a given Zeek protocol analyzer tag.
+     *
+     * @param analyzer requested protocol analyzer
+     * @param is_orig true if requesting the parser parser for a sessions' originator side, false
+     * for the responder
+     * @return parser, or null if we don't have one for this tag. The pointer will remain valid for
+     * the life-time of the process.
+     */
+    const ::spicy::rt::Parser* parserForProtocolAnalyzer(const Tag& tag, bool is_orig);
+
+    /**
+     * Runtime method to retrieve the Spicy parser for a given Zeek file analyzer tag.
+     *
+     * @param analyzer requested file analyzer.
+     * @return parser, or null if we don't have one for this tag. The pointer will remain valid for
+     * the life-time of the process.
+     */
+    const ::spicy::rt::Parser* parserForFileAnalyzer(const Tag& tag);
+
+    /**
+     * Runtime method to retrieve the Spicy parser for a given Zeek packet analyzer tag.
+     *
+     * @param analyzer requested packet analyzer.
+     * @return parser, or null if we don't have one for this tag. The pointer will remain
+     * valid for the life-time of the process.
+     */
+    const ::spicy::rt::Parser* parserForPacketAnalyzer(const Tag& tag);
+
+    /**
+     * Runtime method to retrieve the analyzer tag that should be passed to
+     * script-land when talking about a protocol analyzer. This is normally
+     * the analyzer's standard tag, but may be replaced with something else
+     * if the analyzer substitutes for an existing one.
+     *
+     * @param tag original tag we query for how to pass it to script-land.
+     * @return desired tag for passing to script-land.
+     */
+    Tag tagForProtocolAnalyzer(const Tag& tag);
+
+    /**
+     * Runtime method to retrieve the analyzer tag that should be passed to
+     * script-land when talking about a file analyzer. This is normally the
+     * analyzer's standard tag, but may be replaced with something else if
+     * the analyzer substitutes for an existing one.
+     *
+     * @param tag original tag we query for how to pass it to script-land.
+     * @return desired tag for passing to script-land.
+     */
+    Tag tagForFileAnalyzer(const Tag& tag);
+
+    /**
+     * Runtime method to retrieve the analyzer tag that should be passed to
+     * script-land when talking about a packet analyzer. This is normally the
+     * analyzer's standard tag, but may be replaced with something else if
+     * the analyzer substitutes for an existing one.
+     *
+     * @param tag original tag we query for how to pass it to script-land.
+     * @return desired tag for passing to script-land.
+     */
+    Tag tagForPacketAnalyzer(const Tag& tag);
+
+    /**
+     * Explicitly enable/disable a protocol analyzer. By default, all analyzers
+     * loaded will also be activated. By calling this method, an analyzer can
+     * toggled.
+     *
+     * @param analyzer tag of analyzer
+     * @param enable true to enable, false to disable
+     */
+    bool toggleProtocolAnalyzer(const Tag& tag, bool enable);
+
+    /**
+     * Explicitly enable/disable a file analyzer. By default, all analyzers
+     * loaded will also be activated. By calling this method, an analyzer can
+     * toggled.
+     *
+     * @param analyzer tag of analyzer
+     * @param enable true to enable, false to disable
+     */
+    bool toggleFileAnalyzer(const Tag& tag, bool enable);
+
+    /**
+     * Explicitly enable/disable a packet analyzer. By default, all analyzers
+     * loaded will also be activated. By calling this method, an analyzer can
+     * toggled.
+     *
+     * @note This is currently not supported because Zeek does not provide the
+     * necessary API.
+     *
+     * @param analyzer tag of analyzer
+     * @param enable true to enable, false to disable
+     */
+    bool togglePacketAnalyzer(const Tag& tag, bool enable);
+
+    /**
+     * Explicitly enable/disable an analyzer. By default, all analyzers
+     * loaded will also be activated. By calling this method, an analyzer can
+     * toggled.
+     *
+     * This method is frontend for the versions specific to
+     * protocol/file/packet analyzers. It takes an enum corresponding to either
+     * kind and branches out accordingly.
+     *
+     * @param analyzer tag of analyzer
+     * @param enable true to enable, false to disable
+     */
+    bool toggleAnalyzer(EnumVal* tag, bool enable);
+
+    /** Report an error and disable a protocol analyzer's input processing */
+    void analyzerError(analyzer::Analyzer* a, const std::string& msg, const std::string& location);
+
+    /** Report an error and disable a file analyzer's input processing */
+    void analyzerError(file_analysis::Analyzer* a, const std::string& msg, const std::string& location);
+
+    /** Report an error and disable a packet analyzer's input processing. */
+    void analyzerError(packet_analysis::Analyzer* a, const std::string& msg, const std::string& location);
+
+    /** Returns the number of errors recorded by the Zeek reporter. */
+    int numberErrors();
+
+protected:
+    // Overriding method from Zeek's plugin API.
+    zeek::plugin::Configuration Configure() override;
+
+    // Overriding method from Zeek's plugin API.
+    void InitPreScript() override;
+
+    // Overriding method from Zeek's plugin API.
+    void InitPostScript() override;
+
+    // Overriding method from Zeek's plugin API.
+    void Done() override;
+
+    // Overriding method from Zeek's plugin API.
+    int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved) override;
+
+private:
+    // Load one *.hlto module.
+    void loadModule(const hilti::rt::filesystem::path& path);
+
+    // Search ZEEK_SPICY_MODULE_PATH for pre-compiled *.hlto modules and load them.
+    void autoDiscoverModules();
+
+    // Recursively search pre-compiled *.hlto in colon-separated paths.
+    void searchModules(const std::string& paths);
+
+    // Return a Zeek location object for the given file name that will stay valid.
+    detail::Location makeLocation(const std::string& fname);
+
+    // Disable any Zeek-side analyzers that are replaced by one of ours.
+    void disableReplacedAnalyzers();
+
+    /**
+     * Internal callback that records the component-to-tag-type mapping for plugin's analyzer.
+     *
+     * @param c component to track
+     * @param tag_type tag type to associate with component
+     */
+    void trackComponent(plugin::Component* c, int32_t tag_type);
+
+    /** Captures a registered protocol analyzer. */
+    struct ProtocolAnalyzerInfo {
+        // Provided when registering the analyzer.
+        std::string name_analyzer;
+        std::string name_parser_orig;
+        std::string name_parser_resp;
+        std::string name_replaces;
+        hilti::rt::Protocol protocol = hilti::rt::Protocol::Undef;
+        hilti::rt::Vector<::zeek::spicy::rt::PortRange> ports;
+        std::string linker_scope;
+
+        // Computed and available once the analyzer has been registered.
+        std::string name_zeek;
+        std::string name_zeekygen;
+        Tag::type_t type;
+        const ::spicy::rt::Parser* parser_orig;
+        const ::spicy::rt::Parser* parser_resp;
+        Tag replaces;
+
+        bool operator==(const ProtocolAnalyzerInfo& other) const {
+            return name_analyzer == other.name_analyzer && name_parser_orig == other.name_parser_orig &&
+                   name_parser_resp == other.name_parser_resp && name_replaces == other.name_replaces &&
+                   protocol == other.protocol && ports == other.ports && linker_scope == other.linker_scope;
+        }
+
+        bool operator!=(const ProtocolAnalyzerInfo& other) const { return ! (*this == other); }
+    };
+
+    /** Captures a registered file analyzer. */
+    struct FileAnalyzerInfo {
+        // Provided when registering the analyzer.
+        std::string name_analyzer;
+        std::string name_parser;
+        std::string name_replaces;
+        hilti::rt::Vector<std::string> mime_types;
+        std::string linker_scope;
+
+        // Computed and available once the analyzer has been registered.
+        std::string name_zeek;
+        std::string name_zeekygen;
+        Tag::type_t type;
+        const ::spicy::rt::Parser* parser;
+        Tag replaces;
+
+        bool operator==(const FileAnalyzerInfo& other) const {
+            return name_analyzer == other.name_analyzer && name_parser == other.name_parser &&
+                   name_replaces == other.name_replaces && mime_types == other.mime_types &&
+                   linker_scope == other.linker_scope;
+        }
+
+        bool operator!=(const FileAnalyzerInfo& other) const { return ! (*this == other); }
+    };
+
+    /** Captures a registered file analyzer. */
+    struct PacketAnalyzerInfo {
+        // Provided when registering the analyzer.
+        std::string name_analyzer;
+        std::string name_parser;
+        std::string name_replaces;
+        std::string linker_scope;
+
+        // Computed and available once the analyzer has been registered.
+        std::string name_zeek;
+        std::string name_zeekygen;
+        Tag::type_t type;
+        const ::spicy::rt::Parser* parser;
+        Tag replaces;
+
+        // Compares only the provided attributes, as that's what defines us.
+        bool operator==(const PacketAnalyzerInfo& other) const {
+            return name_analyzer == other.name_analyzer && name_parser == other.name_parser &&
+                   name_replaces == other.name_replaces && linker_scope == other.linker_scope;
+        }
+
+        bool operator!=(const PacketAnalyzerInfo& other) const { return ! (*this == other); }
+    };
+
+    std::string _spicy_version;
+
+    std::vector<ProtocolAnalyzerInfo> _protocol_analyzers_by_type;
+    std::vector<FileAnalyzerInfo> _file_analyzers_by_type;
+    std::vector<PacketAnalyzerInfo> _packet_analyzers_by_type;
+    std::unordered_map<std::string, hilti::rt::Library> _libraries;
+    std::set<std::string> _locations;
+    std::unordered_map<std::string, detail::IDPtr> _events;
+
+    // Mapping of component names to tag types. We use this to ensure analyzer uniqueness.
+    std::unordered_map<std::string, int32_t> _analyzer_name_to_tag_type;
+};
+
+} // namespace spicy
+
+extern spicy::Manager* spicy_mgr;
+
+} // namespace zeek
diff --git a/src/spicy/packet-analyzer.cc b/src/spicy/packet-analyzer.cc
new file mode 100644
index 0000000000..f69c301bb4
--- /dev/null
+++ b/src/spicy/packet-analyzer.cc
@@ -0,0 +1,73 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/spicy/packet-analyzer.h"
+
+#include "zeek/spicy/manager.h"
+#include "zeek/spicy/runtime-support.h"
+
+using namespace zeek;
+using namespace zeek::spicy;
+using namespace zeek::spicy::rt;
+
+#ifdef DEBUG
+#define STATE_DEBUG_MSG(...) DebugMsg(__VA_ARGS__)
+#else
+#define STATE_DEBUG_MSG(...)
+#endif
+
+void PacketState::debug(const std::string& msg) { spicy::rt::debug(_cookie, msg); }
+
+static auto create_packet_state(PacketAnalyzer* analyzer) {
+    cookie::PacketAnalyzer cookie;
+    cookie.analyzer = analyzer;
+    return PacketState(std::move(cookie));
+}
+
+PacketAnalyzer::PacketAnalyzer(std::string name)
+    : packet_analysis::Analyzer(std::move(name)), _state(create_packet_state(this)) {}
+
+PacketAnalyzer::~PacketAnalyzer() = default;
+
+bool PacketAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) {
+    if ( auto parser = spicy_mgr->parserForPacketAnalyzer(_state.packet().analyzer->GetAnalyzerTag()) )
+        _state.setParser(parser);
+    else
+        reporter->FatalError("no valid unit specified for parsing");
+
+    try {
+        hilti::rt::context::CookieSetter _(_state.cookie());
+        _state.packet().next_analyzer.reset();
+        _state.packet().packet = packet;
+        _state.process(len, reinterpret_cast<const char*>(data));
+        auto offset = _state.finish();
+        assert(offset);
+        _state.packet().packet = nullptr;
+        _state.packet().packet_val = nullptr;
+        _state.reset();
+        auto num_processed = offset->Ref();
+        const auto& next_analyzer = _state.packet().next_analyzer;
+        STATE_DEBUG_MSG(hilti::rt::fmt("processed %" PRIu64 " out of %" PRIu64 " bytes, %s", num_processed, len,
+                                       (next_analyzer ? hilti::rt::fmt("next analyzer is 0x%" PRIx32, *next_analyzer) :
+                                                        std::string("no next analyzer"))));
+        if ( next_analyzer )
+            return ForwardPacket(len - num_processed, data + num_processed, packet, *next_analyzer);
+        else
+            return true;
+    } catch ( const hilti::rt::RuntimeError& e ) {
+        STATE_DEBUG_MSG(hilti::rt::fmt("error during parsing, triggering analyzer violation: %s", e.what()));
+        auto tag = _state.packet().analyzer->GetAnalyzerTag();
+
+        if ( auto* session = packet->session )
+            _state.packet().analyzer->AnalyzerViolation(e.what(), session, reinterpret_cast<const char*>(data), len,
+                                                        tag);
+
+        _state.reset();
+        return false;
+    } catch ( const hilti::rt::Exception& e ) {
+        STATE_DEBUG_MSG(e.what());
+        spicy_mgr->analyzerError(_state.packet().analyzer, e.description(),
+                                 e.location()); // this sets Zeek to skip sending any further input
+        _state.reset();
+        return false;
+    }
+}
diff --git a/src/spicy/packet-analyzer.h b/src/spicy/packet-analyzer.h
new file mode 100644
index 0000000000..7d68e322db
--- /dev/null
+++ b/src/spicy/packet-analyzer.h
@@ -0,0 +1,75 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include <memory>
+#include <optional>
+#include <string>
+#include <utility>
+
+#include <hilti/rt/types/stream.h>
+
+#include <spicy/rt/driver.h>
+#include <spicy/rt/parser.h>
+
+#include "zeek/spicy/cookie.h"
+
+namespace zeek::spicy::rt {
+
+/** Parsing state for a packet. */
+class PacketState : public ::spicy::rt::driver::ParsingState {
+public:
+    /**
+     * Constructor.
+     *
+     * @param cookie cookie to associated with the packet
+     */
+    PacketState(Cookie cookie) : ParsingState(::spicy::rt::driver::ParsingType::Block), _cookie(std::move(cookie)) {}
+
+    /** Returns the cookie pointer to use with the runtime library during analysis. */
+    auto* cookie() { return &_cookie; }
+
+    /** Returns the packet-specific cookie state associated with the endpoint. */
+    auto& packet() {
+        assert(_cookie.packet);
+        return *_cookie.packet;
+    }
+
+    /**
+     * Records a debug message pertaining to the specific file.
+     *
+     * @param msg message to record
+     */
+    void DebugMsg(const std::string& msg) { debug(msg); }
+
+protected:
+    // Overridden from driver::ParsingState.
+    void debug(const std::string& msg) override;
+
+private:
+    Cookie _cookie;
+};
+
+/** A Spicy file analyzer. */
+class PacketAnalyzer : public packet_analysis::Analyzer {
+public:
+    PacketAnalyzer(std::string name);
+    virtual ~PacketAnalyzer();
+
+    /** Records a debug message. */
+    void DebugMsg(const std::string& msg) { _state.DebugMsg(msg); }
+
+    static packet_analysis::AnalyzerPtr Instantiate(std::string name) {
+        name = util::canonify_name(name);
+        return std::make_shared<PacketAnalyzer>(name);
+    }
+
+protected:
+    // Overridden from Zeek's packet analyzer.
+    bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+private:
+    PacketState _state;
+};
+
+} // namespace zeek::spicy::rt
diff --git a/src/spicy/port-range.h b/src/spicy/port-range.h
new file mode 100644
index 0000000000..bbe0d58c12
--- /dev/null
+++ b/src/spicy/port-range.h
@@ -0,0 +1,32 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include <cassert>
+#include <tuple>
+
+#include <hilti/rt/types/port.h>
+
+namespace zeek::spicy::rt {
+
+/** A closed ranged of ports. */
+struct PortRange {
+    PortRange() = default;
+    PortRange(hilti::rt::Port begin_, hilti::rt::Port end_) : begin(begin_), end(end_) {
+        assert(begin.port() <= end.port());
+        assert(begin.protocol() == end.protocol());
+    }
+
+    hilti::rt::Port begin; /**< first port in the range */
+    hilti::rt::Port end;   /**< last port in the range */
+};
+
+inline bool operator==(const PortRange& a, const PortRange& b) {
+    return std::tie(a.begin, a.end) == std::tie(b.begin, b.end);
+}
+
+inline bool operator!=(const PortRange& a, const PortRange& b) { return ! (a == b); }
+
+inline PortRange make_port_range(hilti::rt::Port begin, hilti::rt::Port end) { return PortRange(begin, end); }
+
+} // namespace zeek::spicy::rt
diff --git a/src/spicy/protocol-analyzer.cc b/src/spicy/protocol-analyzer.cc
new file mode 100644
index 0000000000..05b64895e3
--- /dev/null
+++ b/src/spicy/protocol-analyzer.cc
@@ -0,0 +1,236 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/spicy/protocol-analyzer.h"
+
+#include "zeek/spicy/manager.h"
+#include "zeek/spicy/runtime-support.h"
+
+using namespace zeek;
+using namespace zeek::spicy;
+using namespace zeek::spicy::rt;
+
+#ifdef DEBUG
+#define STATE_DEBUG_MSG(...) DebugMsg(__VA_ARGS__)
+#else
+#define STATE_DEBUG_MSG(...)
+#endif
+
+void EndpointState::debug(const std::string& msg) { spicy::rt::debug(_cookie, msg); }
+
+static auto create_endpoint(bool is_orig, analyzer::Analyzer* analyzer, ::spicy::rt::driver::ParsingType type) {
+    static uint64_t id_counter = 0;
+
+    ++id_counter;
+
+    cookie::ProtocolAnalyzer cookie{.analyzer = analyzer,
+                                    .is_orig = is_orig,
+                                    .fstate_orig =
+                                        cookie::FileStateStack(hilti::rt::fmt("%" PRIx64 ".orig", id_counter)),
+                                    .fstate_resp =
+                                        cookie::FileStateStack(hilti::rt::fmt("%" PRIx64 ".resp", id_counter))};
+
+    // Cannot get parser here yet, analyzer may not have been fully set up.
+    return EndpointState(std::move(cookie), type);
+}
+
+ProtocolAnalyzer::ProtocolAnalyzer(analyzer::Analyzer* analyzer, ::spicy::rt::driver::ParsingType type)
+    : _originator(create_endpoint(true, analyzer, type)), _responder(create_endpoint(false, analyzer, type)) {}
+
+ProtocolAnalyzer::~ProtocolAnalyzer() {}
+
+void ProtocolAnalyzer::Init() {}
+
+void ProtocolAnalyzer::Done() {
+    Finish(true);
+    Finish(false);
+}
+
+void ProtocolAnalyzer::Process(bool is_orig, int len, const u_char* data) {
+    auto* endp = is_orig ? &_originator : &_responder;
+
+    if ( endp->protocol().analyzer->Skipping() )
+        return;
+
+    if ( ! endp->hasParser() && ! endp->isSkipping() ) {
+        auto parser = spicy_mgr->parserForProtocolAnalyzer(endp->protocol().analyzer->GetAnalyzerTag(), is_orig);
+        if ( parser ) {
+            if ( ! _context )
+                _context = parser->createContext();
+
+            endp->setParser(parser, _context);
+        }
+        else {
+            STATE_DEBUG_MSG(is_orig, "no unit specified for parsing");
+            endp->skipRemaining();
+            return;
+        }
+    }
+
+    try {
+        hilti::rt::context::CookieSetter _(endp->cookie());
+        endp->process(len, reinterpret_cast<const char*>(data));
+    } catch ( const hilti::rt::RuntimeError& e ) {
+        STATE_DEBUG_MSG(is_orig, hilti::rt::fmt("error during parsing, triggering analyzer violation: %s", e.what()));
+        auto tag = spicy_mgr->tagForProtocolAnalyzer(endp->protocol().analyzer->GetAnalyzerTag());
+        endp->protocol().analyzer->AnalyzerViolation(e.what(), reinterpret_cast<const char*>(data), len, tag);
+        originator().skipRemaining();
+        responder().skipRemaining();
+        endp->protocol().analyzer->SetSkip(true);
+    } catch ( const hilti::rt::Exception& e ) {
+        spicy_mgr->analyzerError(endp->protocol().analyzer, e.description(),
+                                 e.location()); // this sets Zeek to skip sending any further input
+    }
+}
+
+void ProtocolAnalyzer::Finish(bool is_orig) {
+    auto* endp = is_orig ? &_originator : &_responder;
+
+    if ( endp->protocol().analyzer->Skipping() )
+        return;
+
+    try {
+        hilti::rt::context::CookieSetter _(endp->cookie());
+        endp->finish();
+    } catch ( const hilti::rt::RuntimeError& e ) {
+        STATE_DEBUG_MSG(is_orig, hilti::rt::fmt("error during parsing, triggering analyzer violation: %s", e.what()));
+        auto tag = spicy_mgr->tagForProtocolAnalyzer(endp->protocol().analyzer->GetAnalyzerTag());
+        endp->protocol().analyzer->AnalyzerViolation(e.what(), nullptr, 0, tag);
+        endp->skipRemaining();
+    } catch ( const hilti::rt::Exception& e ) {
+        spicy_mgr->analyzerError(endp->protocol().analyzer, e.description(),
+                                 e.location()); // this sets Zeek to skip sending any further input
+    }
+}
+
+cookie::ProtocolAnalyzer& ProtocolAnalyzer::cookie(bool is_orig) {
+    if ( is_orig )
+        return _originator.protocol();
+    else
+        return _responder.protocol();
+}
+
+void ProtocolAnalyzer::DebugMsg(bool is_orig, const std::string& msg) {
+    if ( is_orig )
+        _originator.DebugMsg(msg);
+    else
+        _responder.DebugMsg(msg);
+}
+
+void ProtocolAnalyzer::FlipRoles() { std::swap(_originator, _responder); }
+
+analyzer::Analyzer* TCP_Analyzer::InstantiateAnalyzer(Connection* conn) { return new TCP_Analyzer(conn); }
+
+TCP_Analyzer::TCP_Analyzer(Connection* conn)
+    : ProtocolAnalyzer(this, ::spicy::rt::driver::ParsingType::Stream), analyzer::tcp::TCP_ApplicationAnalyzer(conn) {}
+
+TCP_Analyzer::~TCP_Analyzer() {}
+
+void TCP_Analyzer::Init() {
+    analyzer::tcp::TCP_ApplicationAnalyzer::Init();
+    ProtocolAnalyzer::Init();
+}
+
+void TCP_Analyzer::Done() {
+    analyzer::tcp::TCP_ApplicationAnalyzer::Done();
+    ProtocolAnalyzer::Done();
+
+    EndOfData(true);
+    EndOfData(false);
+}
+
+void TCP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) {
+    analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
+
+    Process(is_orig, len, data);
+
+    if ( originator().isFinished() && responder().isFinished() &&
+         (! originator().isSkipping() || ! responder().isSkipping()) ) {
+        STATE_DEBUG_MSG(is_orig, "both endpoints finished, skipping all further TCP processing");
+        originator().skipRemaining();
+        responder().skipRemaining();
+
+        if ( is_orig ) // doesn't really matter which endpoint here.
+            originator().protocol().analyzer->SetSkip(true);
+        else
+            responder().protocol().analyzer->SetSkip(true);
+    }
+}
+
+void TCP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) {
+    analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
+
+    Process(is_orig, len, nullptr);
+}
+
+void TCP_Analyzer::EndOfData(bool is_orig) {
+    analyzer::tcp::TCP_ApplicationAnalyzer::EndOfData(is_orig);
+
+    if ( TCP() && TCP()->IsPartial() ) {
+        STATE_DEBUG_MSG(is_orig, "skipping end-of-data delivery on partial TCP connection");
+        return;
+    }
+
+    Finish(is_orig);
+}
+
+void TCP_Analyzer::FlipRoles() {
+    analyzer::tcp::TCP_ApplicationAnalyzer::FlipRoles();
+    ProtocolAnalyzer::FlipRoles();
+}
+
+void TCP_Analyzer::EndpointEOF(bool is_orig) {
+    analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+    Finish(is_orig);
+}
+
+void TCP_Analyzer::ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint, analyzer::tcp::TCP_Endpoint* peer,
+                                    bool gen_event) {
+    analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
+}
+
+void TCP_Analyzer::ConnectionFinished(bool half_finished) {
+    analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
+}
+
+void TCP_Analyzer::ConnectionReset() { analyzer::tcp::TCP_ApplicationAnalyzer::ConnectionReset(); }
+
+void TCP_Analyzer::PacketWithRST() { analyzer::tcp::TCP_ApplicationAnalyzer::PacketWithRST(); }
+
+analyzer::Analyzer* UDP_Analyzer::InstantiateAnalyzer(Connection* conn) { return new UDP_Analyzer(conn); }
+
+UDP_Analyzer::UDP_Analyzer(Connection* conn)
+    : ProtocolAnalyzer(this, ::spicy::rt::driver::ParsingType::Block), analyzer::Analyzer(conn) {}
+
+UDP_Analyzer::~UDP_Analyzer() {}
+
+void UDP_Analyzer::Init() {
+    analyzer::Analyzer::Init();
+    ProtocolAnalyzer::Init();
+}
+
+void UDP_Analyzer::Done() {
+    analyzer::Analyzer::Done();
+    ProtocolAnalyzer::Done();
+}
+
+void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip,
+                                 int caplen) {
+    analyzer::Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+
+    ++cookie(is_orig).num_packets;
+    Process(is_orig, len, data);
+}
+
+void UDP_Analyzer::Undelivered(uint64_t seq, int len, bool is_orig) {
+    analyzer::Analyzer::Undelivered(seq, len, is_orig);
+}
+
+void UDP_Analyzer::EndOfData(bool is_orig) {
+    analyzer::Analyzer::EndOfData(is_orig);
+    Finish(is_orig);
+}
+
+void UDP_Analyzer::FlipRoles() {
+    analyzer::Analyzer::FlipRoles();
+    ProtocolAnalyzer::FlipRoles();
+}
diff --git a/src/spicy/protocol-analyzer.h b/src/spicy/protocol-analyzer.h
new file mode 100644
index 0000000000..71be171aff
--- /dev/null
+++ b/src/spicy/protocol-analyzer.h
@@ -0,0 +1,166 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include <optional>
+#include <string>
+#include <utility>
+
+#include <hilti/rt/types/stream.h>
+
+#include <spicy/rt/driver.h>
+#include <spicy/rt/parser.h>
+
+#include "zeek/spicy/cookie.h"
+
+namespace zeek::spicy::rt {
+
+/** Parsing state for one endpoint of the connection. */
+class EndpointState : public ::spicy::rt::driver::ParsingState {
+public:
+    /**
+     * Constructor.
+     *
+     * @param cookie cookie to associated with the endpoint
+     * @param type type of parsing, depending on whether it's a stream- or
+     * packet-based protocol
+     */
+    EndpointState(Cookie cookie, ::spicy::rt::driver::ParsingType type)
+        : ParsingState(type), _cookie(std::move(cookie)) {}
+
+    /** Returns the protocol-specific cookie state associated with the endpoint. */
+    auto& protocol() {
+        assert(_cookie.protocol);
+        return *_cookie.protocol;
+    }
+
+    /** Returns the cookie pointer to use with the runtime library during analysis. */
+    auto* cookie() { return &_cookie; }
+
+    /**
+     * Records a debug message pertaining to this specific endpoint.
+     *
+     * @param msg message to record
+     */
+    void DebugMsg(const std::string& msg) { debug(msg); }
+
+protected:
+    // Overridden from driver::ParsingState.
+    void debug(const std::string& msg) override;
+
+private:
+    Cookie _cookie;
+};
+
+/** Base clase for Spicy protocol analyzers. */
+class ProtocolAnalyzer {
+public:
+    ProtocolAnalyzer(analyzer::Analyzer* analyzer, ::spicy::rt::driver::ParsingType type);
+    virtual ~ProtocolAnalyzer();
+
+    /** Returns the originator-side parsing state. */
+    auto& originator() { return _originator; }
+
+    /** Returns the responder-side parsing state. */
+    auto& responder() { return _responder; }
+
+protected:
+    /** Initialize analyzer.  */
+    void Init();
+
+    /** Shutdown analyzer. */
+    void Done();
+
+    /**
+     * Signal that Zeek has flipped the direction of the connection, meaning
+     * that originator and responder state need to be swapped.
+     */
+    void FlipRoles();
+
+    /**
+     * Feeds a chunk of data into one side's parsing.
+     *
+     * @param is_orig true to use originator-side endpoint state, false for responder
+     * @param len number of bytes valid in *data*
+     * @param data pointer to data
+     */
+    void Process(bool is_orig, int len, const u_char* data);
+
+    /**
+     * Finalizes parsing. After calling this, no more data must be passed
+     * into Process() for the corresponding side.
+     *
+     * @param is_orig true to finish originator-side parsing, false for responder
+     */
+    void Finish(bool is_orig);
+
+    /**
+     * Helper returning the protocol analyzer cookie for the requested side.
+     *
+     * @param is_orig tru to return the originator's state, false for the
+     * responder.
+     * @return protocol analyzer cookie for the requested side
+     */
+    cookie::ProtocolAnalyzer& cookie(bool is_orig);
+
+    /**
+     * Records a debug message. This forwards to `DebugMsg()` for the
+     * corresponding `EndpointState`.
+     */
+    void DebugMsg(bool is_orig, const std::string& msg);
+
+private:
+    EndpointState _originator; /**< Originator-side state. */
+    EndpointState _responder;  /**< Responder-side state. */
+    std::optional<::spicy::rt::UnitContext> _context;
+};
+
+/**
+ * Spicy analyzer for TCP application-layer protocols. Implements the
+ * standard Zeek API.
+ */
+class TCP_Analyzer : public ProtocolAnalyzer, public analyzer::tcp::TCP_ApplicationAnalyzer {
+public:
+    TCP_Analyzer(Connection* conn);
+    virtual ~TCP_Analyzer();
+
+    // Overridden from Spicy's Analyzer.
+    void Init() override;
+    void Done() override;
+    void DeliverStream(int len, const u_char* data, bool orig) override;
+    void Undelivered(uint64_t seq, int len, bool orig) override;
+    void EndOfData(bool is_orig) override;
+    void FlipRoles() override;
+
+    // Overridden from Zeek's TCP_ApplicationAnalyzer.
+    void EndpointEOF(bool is_orig) override;
+    void ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint, analyzer::tcp::TCP_Endpoint* peer,
+                          bool gen_event) override;
+    void ConnectionFinished(bool half_finished) override;
+    void ConnectionReset() override;
+    void PacketWithRST() override;
+
+    static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn);
+};
+
+/**
+ * Spicy analyzer for UDP application-layer protocols. Implements the
+ * standard Zeek API.
+ */
+class UDP_Analyzer : public ProtocolAnalyzer, public analyzer::Analyzer {
+public:
+    UDP_Analyzer(Connection* conn);
+    virtual ~UDP_Analyzer();
+
+    // Overridden from Spicy's Analyzer.
+    void Init() override;
+    void Done() override;
+    void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) override;
+    void Undelivered(uint64_t seq, int len, bool orig) override;
+    void EndOfData(bool is_orig) override;
+    void FlipRoles() override;
+
+    static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn);
+};
+
+} // namespace zeek::spicy::rt
diff --git a/src/spicy/runtime-support.cc b/src/spicy/runtime-support.cc
new file mode 100644
index 0000000000..b048e93d74
--- /dev/null
+++ b/src/spicy/runtime-support.cc
@@ -0,0 +1,842 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/spicy/runtime-support.h"
+
+#include <algorithm>
+#include <memory>
+
+#include <hilti/rt/exception.h>
+#include <hilti/rt/profiler.h>
+#include <hilti/rt/types/port.h>
+#include <hilti/rt/util.h>
+
+#include "zeek/Event.h"
+#include "zeek/analyzer/Manager.h"
+#include "zeek/analyzer/protocol/pia/PIA.h"
+#include "zeek/file_analysis/File.h"
+#include "zeek/file_analysis/Manager.h"
+#include "zeek/spicy/manager.h"
+
+using namespace zeek;
+using namespace zeek::spicy;
+
+void rt::register_protocol_analyzer(const std::string& name, hilti::rt::Protocol proto,
+                                    const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports,
+                                    const std::string& parser_orig, const std::string& parser_resp,
+                                    const std::string& replaces, const std::string& linker_scope) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/register_protocol_analyzer");
+    spicy_mgr->registerProtocolAnalyzer(name, proto, ports, parser_orig, parser_resp, replaces, linker_scope);
+}
+
+void rt::register_file_analyzer(const std::string& name, const hilti::rt::Vector<std::string>& mime_types,
+                                const std::string& parser, const std::string& replaces,
+                                const std::string& linker_scope) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/register_file_analyzer");
+    spicy_mgr->registerFileAnalyzer(name, mime_types, parser, replaces, linker_scope);
+}
+
+void rt::register_packet_analyzer(const std::string& name, const std::string& parser, const std::string& replaces,
+                                  const std::string& linker_scope) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/register_packet_analyzer");
+    spicy_mgr->registerPacketAnalyzer(name, parser, replaces, linker_scope);
+}
+
+void rt::register_type(const std::string& ns, const std::string& id, const TypePtr& type) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/register_type");
+    spicy_mgr->registerType(hilti::rt::fmt("%s::%s", (! ns.empty() ? ns : std::string("GLOBAL")), id), type);
+}
+
+// Helper to look up a global Zeek-side type, enforcing that it's of the expected type.
+static TypePtr findType(TypeTag tag, const std::string& ns, const std::string& id) {
+    auto id_ = hilti::rt::fmt("%s::%s", ns, id);
+    auto type = spicy_mgr->findType(id_);
+
+    if ( ! type )
+        return nullptr;
+
+    if ( type->Tag() != tag )
+        reporter->FatalError("ID %s is not of expected type %s", id_.c_str(), type_name(tag));
+
+    return type;
+}
+
+TypePtr rt::create_base_type(ZeekTypeTag tag) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/create_base_type");
+    TypeTag ztag;
+
+    switch ( tag ) {
+        case ZeekTypeTag::Addr: ztag = TYPE_ADDR; break;
+        case ZeekTypeTag::Any: ztag = TYPE_ANY; break;
+        case ZeekTypeTag::Bool: ztag = TYPE_BOOL; break;
+        case ZeekTypeTag::Count: ztag = TYPE_COUNT; break;
+        case ZeekTypeTag::Double: ztag = TYPE_DOUBLE; break;
+        case ZeekTypeTag::Enum: ztag = TYPE_ENUM; break;
+        case ZeekTypeTag::Error: ztag = TYPE_ERROR; break;
+        case ZeekTypeTag::File: ztag = TYPE_FILE; break;
+        case ZeekTypeTag::Func: ztag = TYPE_FUNC; break;
+        case ZeekTypeTag::List: ztag = TYPE_LIST; break;
+        case ZeekTypeTag::Int: ztag = TYPE_INT; break;
+        case ZeekTypeTag::Interval: ztag = TYPE_INTERVAL; break;
+        case ZeekTypeTag::Opaque: ztag = TYPE_OPAQUE; break;
+        case ZeekTypeTag::Pattern: ztag = TYPE_PATTERN; break;
+        case ZeekTypeTag::Port: ztag = TYPE_PORT; break;
+        case ZeekTypeTag::Record: ztag = TYPE_RECORD; break;
+        case ZeekTypeTag::String: ztag = TYPE_STRING; break;
+        case ZeekTypeTag::Subnet: ztag = TYPE_SUBNET; break;
+        case ZeekTypeTag::Table: ztag = TYPE_TABLE; break;
+        case ZeekTypeTag::Time: ztag = TYPE_TIME; break;
+        case ZeekTypeTag::Type: ztag = TYPE_TYPE; break;
+        case ZeekTypeTag::Vector: ztag = TYPE_VECTOR; break;
+        case ZeekTypeTag::Void: ztag = TYPE_VOID; break;
+        default: hilti::rt::cannot_be_reached();
+    }
+
+    return base_type(ztag);
+}
+
+TypePtr rt::create_enum_type(
+    const std::string& ns, const std::string& id,
+    const hilti::rt::Vector<std::tuple<std::string, hilti::rt::integer::safe<int64_t>>>& labels) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/create_enum_type");
+
+    if ( auto t = findType(TYPE_ENUM, ns, id) )
+        return t;
+
+    auto etype = make_intrusive<EnumType>(ns + "::" + id);
+
+    for ( auto [lid, lval] : labels ) {
+        auto name = ::hilti::rt::fmt("%s_%s", id, lid);
+
+        if ( lval == -1 )
+            // Zeek's enum can't be negative, so swap in max_int for our Undef.
+            lval = std::numeric_limits<::zeek_int_t>::max();
+
+        etype->AddName(ns, name.c_str(), lval, true);
+    }
+
+    return etype;
+}
+
+TypePtr rt::create_record_type(const std::string& ns, const std::string& id,
+                               const hilti::rt::Vector<RecordField>& fields) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/create_record_type");
+
+    if ( auto t = findType(TYPE_RECORD, ns, id) )
+        return t;
+
+    auto decls = std::make_unique<type_decl_list>();
+
+    for ( const auto& [id, type, optional] : fields ) {
+        auto attrs = make_intrusive<detail::Attributes>(nullptr, true, false);
+
+        if ( optional ) {
+            auto optional_ = make_intrusive<detail::Attr>(detail::ATTR_OPTIONAL);
+            attrs->AddAttr(optional_);
+        }
+
+        decls->append(new TypeDecl(util::copy_string(id.c_str()), type, std::move(attrs)));
+    }
+
+    return make_intrusive<RecordType>(decls.release());
+}
+
+TypePtr rt::create_table_type(TypePtr key, std::optional<TypePtr> value) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/create_table_type");
+    auto idx = make_intrusive<TypeList>();
+    idx->Append(std::move(key));
+    return make_intrusive<TableType>(std::move(idx), value ? *value : nullptr);
+}
+
+TypePtr rt::create_vector_type(const TypePtr& elem) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/create_vector_type");
+    return make_intrusive<VectorType>(elem);
+}
+
+void rt::install_handler(const std::string& name) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/install_handler");
+    spicy_mgr->registerEvent(name);
+}
+
+EventHandlerPtr rt::internal_handler(const std::string& name) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/internal_handler");
+    auto handler = event_registry->Lookup(name);
+
+    if ( ! handler )
+        reporter->InternalError("Spicy event %s was not installed", name.c_str());
+
+    return handler;
+}
+
+void rt::raise_event(const EventHandlerPtr& handler, const hilti::rt::Vector<ValPtr>& args) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/raise_event");
+
+    // Caller must have checked already that there's a handler available.
+    assert(handler);
+
+    const auto& zeek_args = const_cast<EventHandlerPtr&>(handler)->GetType()->ParamList()->GetTypes();
+    if ( args.size() != static_cast<uint64_t>(zeek_args.size()) )
+        throw TypeMismatch(hilti::rt::fmt("expected %" PRIu64 " parameters, but got %zu",
+                                          static_cast<uint64_t>(zeek_args.size()), args.size()));
+
+    Args vl = Args();
+    vl.reserve(args.size());
+    for ( const auto& v : args ) {
+        if ( v )
+            vl.emplace_back(v);
+        else
+            // Shouldn't happen here, but we have to_vals() that
+            // (legitimately) return null in certain contexts.
+            throw InvalidValue("null value encountered after conversion");
+    }
+
+    event_mgr.Enqueue(handler, std::move(vl));
+}
+
+TypePtr rt::event_arg_type(const EventHandlerPtr& handler, const hilti::rt::integer::safe<uint64_t>& idx) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/event_arg_type");
+    assert(handler);
+
+    const auto& zeek_args = const_cast<EventHandlerPtr&>(handler)->GetType()->ParamList()->GetTypes();
+    if ( idx >= static_cast<uint64_t>(zeek_args.size()) )
+        throw TypeMismatch(hilti::rt::fmt("more parameters given than the %" PRIu64 " that the Zeek event expects",
+                                          static_cast<uint64_t>(zeek_args.size())));
+
+    return zeek_args[idx];
+}
+
+ValPtr& rt::current_conn() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/current_conn");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( cookie->cache.conn )
+        return cookie->cache.conn;
+
+    if ( auto x = cookie->protocol ) {
+        cookie->cache.conn = x->analyzer->Conn()->GetVal();
+        return cookie->cache.conn;
+    }
+    else
+        throw ValueUnavailable("$conn not available");
+}
+
+ValPtr& rt::current_is_orig() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/current_is_orig");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( cookie->cache.is_orig )
+        return cookie->cache.is_orig;
+
+    if ( auto x = cookie->protocol ) {
+        cookie->cache.is_orig = val_mgr->Bool(x->is_orig);
+        return cookie->cache.is_orig;
+    }
+    else
+        throw ValueUnavailable("$is_orig not available");
+}
+
+void rt::debug(const std::string& msg) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/debug");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+    rt::debug(*cookie, msg);
+}
+
+void rt::debug(const Cookie& cookie, const std::string& msg) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/debug");
+    std::string name;
+    std::string id;
+
+    if ( const auto p = cookie.protocol ) {
+        auto name = p->analyzer->GetAnalyzerName();
+        SPICY_DEBUG(
+            hilti::rt::fmt("[%s/%" PRIu32 "/%s] %s", name, p->analyzer->GetID(), (p->is_orig ? "orig" : "resp"), msg));
+    }
+    else if ( const auto f = cookie.file ) {
+        auto name = file_mgr->GetComponentName(f->analyzer->Tag());
+        SPICY_DEBUG(hilti::rt::fmt("[%s/%" PRIu32 "] %s", name, f->analyzer->GetID(), msg));
+    }
+    else if ( const auto f = cookie.packet ) {
+        auto name = packet_mgr->GetComponentName(f->analyzer->GetAnalyzerTag());
+        SPICY_DEBUG(hilti::rt::fmt("[%s] %s", name, msg));
+    }
+    else
+        throw ValueUnavailable("neither $conn nor $file nor packet analyzer available for debug logging");
+}
+
+inline rt::cookie::FileStateStack* _file_state_stack(rt::Cookie* cookie) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file_state_stack");
+
+    if ( auto c = cookie->protocol )
+        return c->is_orig ? &c->fstate_orig : &c->fstate_resp;
+    else if ( auto f = cookie->file )
+        return &f->fstate;
+    else
+        throw rt::ValueUnavailable("no current connection or file available");
+}
+
+inline const rt::cookie::FileState* _file_state(rt::Cookie* cookie, std::optional<std::string> fid) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file_state");
+
+    auto* stack = _file_state_stack(cookie);
+    if ( fid ) {
+        if ( auto* fstate = stack->find(*fid) )
+            return fstate;
+        else
+            throw rt::ValueUnavailable(hilti::rt::fmt("no file analysis currently in flight for file ID %s", fid));
+    }
+    else {
+        if ( stack->isEmpty() )
+            throw rt::ValueUnavailable("no file analysis currently in flight");
+
+        return stack->current();
+    }
+}
+
+ValPtr rt::current_file() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/current_file");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto x = cookie->file )
+        return x->analyzer->GetFile()->ToVal();
+    else if ( auto* fstate = _file_state(cookie, {}) ) {
+        if ( auto* f = file_mgr->LookupFile(fstate->fid) )
+            return f->ToVal();
+    }
+
+    throw ValueUnavailable("$file not available");
+}
+
+ValPtr rt::current_packet() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/current_packet");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto c = cookie->packet ) {
+        if ( ! c->packet_val )
+            // We cache the built value in case we need it multiple times.
+            c->packet_val = c->packet->ToRawPktHdrVal();
+
+        return c->packet_val;
+    }
+    else
+        throw ValueUnavailable("$packet not available");
+}
+
+hilti::rt::Bool rt::is_orig() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/is_orig");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto x = cookie->protocol )
+        return x->is_orig;
+    else
+        throw ValueUnavailable("is_orig() not available in current context");
+}
+
+std::string rt::uid() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/uid");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto c = cookie->protocol ) {
+        // Retrieve the ConnVal() so that we ensure the UID has been set.
+        c->analyzer->ConnVal();
+        return c->analyzer->Conn()->GetUID().Base62("C");
+    }
+    else
+        throw ValueUnavailable("uid() not available in current context");
+}
+
+std::tuple<hilti::rt::Address, hilti::rt::Port, hilti::rt::Address, hilti::rt::Port> rt::conn_id() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/conn_id");
+
+    static auto convert_address = [](const IPAddr& zaddr) -> hilti::rt::Address {
+        const uint32_t* bytes = nullptr;
+        if ( auto n = zaddr.GetBytes(&bytes); n == 1 )
+            // IPv4
+            return hilti::rt::Address(*reinterpret_cast<const struct in_addr*>(bytes));
+        else if ( n == 4 )
+            // IPv6
+            return hilti::rt::Address(*reinterpret_cast<const struct in6_addr*>(bytes));
+        else
+            throw ValueUnavailable("unexpected IP address side from Zeek"); // shouldn't really be able to happen
+    };
+
+    static auto convert_port = [](uint32_t port, TransportProto proto) -> hilti::rt::Port {
+        auto p = ntohs(static_cast<uint16_t>(port));
+
+        switch ( proto ) {
+            case TransportProto::TRANSPORT_ICMP: return {p, hilti::rt::Protocol::ICMP};
+            case TransportProto::TRANSPORT_TCP: return {p, hilti::rt::Protocol::TCP};
+            case TransportProto::TRANSPORT_UDP: return {p, hilti::rt::Protocol::UDP};
+            case TransportProto::TRANSPORT_UNKNOWN: return {p, hilti::rt::Protocol::Undef};
+        }
+
+        hilti::rt::cannot_be_reached();
+    };
+
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto c = cookie->protocol ) {
+        const auto* conn = c->analyzer->Conn();
+        return std::make_tuple(convert_address(conn->OrigAddr()), convert_port(conn->OrigPort(), conn->ConnTransport()),
+                               convert_address(conn->RespAddr()),
+                               convert_port(conn->RespPort(), conn->ConnTransport()));
+    }
+    else
+        throw ValueUnavailable("conn_id() not available in current context");
+}
+
+void rt::flip_roles() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/flip_roles");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    rt::debug(*cookie, "flipping roles");
+
+    if ( auto x = cookie->protocol )
+        x->analyzer->Conn()->FlipRoles();
+    else
+        throw ValueUnavailable("flip_roles() not available in current context");
+}
+
+hilti::rt::integer::safe<uint64_t> rt::number_packets() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/number_packets");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto x = cookie->protocol ) {
+        return x->num_packets;
+    }
+    else
+        throw ValueUnavailable("number_packets() not available in current context");
+}
+
+void rt::confirm_protocol() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/confirm_protocol");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( cookie->cache.confirmed )
+        return;
+
+    if ( auto x = cookie->protocol ) {
+        auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag());
+        SPICY_DEBUG(hilti::rt::fmt("confirming protocol %s", tag.AsString()));
+        cookie->cache.confirmed = true;
+        return x->analyzer->AnalyzerConfirmation(tag);
+    }
+    throw ValueUnavailable("no current connection available");
+}
+
+void rt::reject_protocol(const std::string& reason) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/reject_protocol");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto x = cookie->protocol ) {
+        auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag());
+        SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s", tag.AsString()));
+        return x->analyzer->AnalyzerViolation("protocol rejected", nullptr, 0, tag);
+    }
+    else
+        throw ValueUnavailable("no current connection available");
+}
+
+void rt::weird(const std::string& id, const std::string& addl) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/weird");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( const auto x = cookie->protocol )
+        x->analyzer->Weird(id.c_str(), addl.data());
+    else if ( const auto x = cookie->file )
+        zeek::reporter->Weird(x->analyzer->GetFile(), id.c_str(), addl.data());
+    else if ( const auto x = cookie->packet ) {
+        x->analyzer->Weird(id.c_str(), x->packet, addl.c_str());
+    }
+    else
+        throw ValueUnavailable("none of $conn, $file, or $packet available for weird reporting");
+}
+
+void rt::protocol_begin(const std::optional<std::string>& analyzer) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/protocol_begin");
+
+    if ( analyzer ) {
+        protocol_handle_get_or_create(*analyzer);
+        return;
+    }
+
+    // Instantiate a DPD analyzer.
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    auto c = cookie->protocol;
+    if ( ! c )
+        throw ValueUnavailable("no current connection available");
+
+    // Use a Zeek PIA stream analyzer performing DPD.
+    auto pia_tcp = std::make_unique<analyzer::pia::PIA_TCP>(c->analyzer->Conn());
+
+    // Forward empty payload to trigger lifecycle management in this analyzer tree.
+    c->analyzer->ForwardStream(0, reinterpret_cast<const u_char*>(c->analyzer), true);
+    c->analyzer->ForwardStream(0, reinterpret_cast<const u_char*>(c->analyzer), false);
+
+    // Direct child of this type already exists. We ignore this silently
+    // because that makes usage nicer if either side of the connection
+    // might end up creating the analyzer; this way the user doesn't
+    // need to track what the other side already did.
+    //
+    // We inspect the children directly to work around zeek/zeek#2899.
+    const auto& children = c->analyzer->GetChildren();
+    if ( auto it = std::find_if(children.begin(), children.end(),
+                                [&](const auto& it) {
+                                    return ! it->Removing() && ! it->IsFinished() &&
+                                           it->GetAnalyzerTag() == pia_tcp->GetAnalyzerTag();
+                                });
+         it != children.end() )
+        return;
+
+    auto child = pia_tcp.release();
+    c->analyzer->AddChildAnalyzer(child);
+
+    child->FirstPacket(true, nullptr);
+    child->FirstPacket(false, nullptr);
+}
+
+rt::ProtocolHandle rt::protocol_handle_get_or_create(const std::string& analyzer) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/protocol_handle_get_or_create");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    auto c = cookie->protocol;
+    if ( ! c )
+        throw ValueUnavailable("no current connection available");
+
+    // Forward empty payload to trigger lifecycle management in this analyzer tree.
+    c->analyzer->ForwardStream(0, reinterpret_cast<const u_char*>(c->analyzer), true);
+    c->analyzer->ForwardStream(0, reinterpret_cast<const u_char*>(c->analyzer), false);
+
+    // If the child already exists, do not add it again so this function is idempotent.
+    //
+    // We inspect the children directly to work around zeek/zeek#2899.
+    const auto& children = c->analyzer->GetChildren();
+    if ( auto it = std::find_if(children.begin(), children.end(),
+                                [&](const auto& it) {
+                                    return ! it->Removing() && ! it->IsFinished() && it->GetAnalyzerName() == analyzer;
+                                });
+         it != children.end() )
+        return rt::ProtocolHandle((*it)->GetID());
+
+    auto child = analyzer_mgr->InstantiateAnalyzer(analyzer.c_str(), c->analyzer->Conn());
+    if ( ! child )
+        throw ZeekError(::hilti::rt::fmt("unknown analyzer '%s' requested", analyzer));
+
+    // If we had no such child before but cannot add it the analyzer was prevented.
+    //
+    // NOTE: We make this a hard error since returning e.g., an empty optional
+    // here would make it easy to incorrectly use the return value with e.g.,
+    // `protocol_data_in` or `protocol_gap`.
+    if ( ! c->analyzer->AddChildAnalyzer(child) )
+        throw ZeekError(::hilti::rt::fmt("creation of child analyzer %s was prevented", analyzer));
+
+    if ( c->analyzer->Conn()->ConnTransport() != TRANSPORT_TCP ) {
+        // Some TCP application analyzer may expect to have access to a TCP
+        // analyzer. To make that work, we'll create a fake TCP analyzer,
+        // just so that they have something to access. It won't
+        // semantically have any "TCP" to analyze obviously.
+        c->fake_tcp = std::make_shared<packet_analysis::TCP::TCPSessionAdapter>(c->analyzer->Conn());
+        static_cast<analyzer::Analyzer*>(c->fake_tcp.get())
+            ->Done(); // will never see packets; cast to get around protected inheritance
+    }
+
+    auto* child_as_tcp = dynamic_cast<analyzer::tcp::TCP_ApplicationAnalyzer*>(child);
+    if ( ! child_as_tcp )
+        throw ZeekError(
+            ::hilti::rt::fmt("could not add analyzer '%s' to connection; not a TCP-based analyzer", analyzer));
+
+    if ( c->fake_tcp )
+        child_as_tcp->SetTCP(c->fake_tcp.get());
+
+    return rt::ProtocolHandle(child->GetID());
+}
+
+void rt::protocol_data_in(const hilti::rt::Bool& is_orig, const hilti::rt::Bytes& data,
+                          const std::optional<rt::ProtocolHandle>& h) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/protocol_data_in");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    auto c = cookie->protocol;
+    if ( ! c )
+        throw ValueUnavailable("no current connection available");
+
+    auto len = data.size();
+    auto* data_ = reinterpret_cast<const u_char*>(data.data());
+
+    if ( h ) {
+        if ( auto* output_handler = c->analyzer->GetOutputHandler() )
+            output_handler->DeliverStream(len, data_, is_orig);
+
+        auto* child = c->analyzer->FindChild(h->id());
+        if ( ! child )
+            throw ValueUnavailable(hilti::rt::fmt("unknown child analyzer %s", *h));
+
+        if ( child->IsFinished() || child->Removing() )
+            throw ValueUnavailable(hilti::rt::fmt("child analyzer %s no longer exist", *h));
+
+        child->NextStream(len, data_, is_orig);
+    }
+
+    else
+        c->analyzer->ForwardStream(len, data_, is_orig);
+}
+
+void rt::protocol_gap(const hilti::rt::Bool& is_orig, const hilti::rt::integer::safe<uint64_t>& offset,
+                      const hilti::rt::integer::safe<uint64_t>& len, const std::optional<rt::ProtocolHandle>& h) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/protocol_gap");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    auto c = cookie->protocol;
+    if ( ! c )
+        throw ValueUnavailable("no current connection available");
+
+    if ( h ) {
+        if ( auto* output_handler = c->analyzer->GetOutputHandler() )
+            output_handler->Undelivered(offset, len, is_orig);
+
+        auto* child = c->analyzer->FindChild(h->id());
+        if ( ! child )
+            throw ValueUnavailable(hilti::rt::fmt("unknown child analyzer %s", *h));
+
+        if ( child->IsFinished() || child->Removing() )
+            throw ValueUnavailable(hilti::rt::fmt("child analyzer %s no longer exist", *h));
+
+        child->NextUndelivered(offset, len, is_orig);
+    }
+
+    else
+        c->analyzer->ForwardUndelivered(offset, len, is_orig);
+}
+
+void rt::protocol_end() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/protocol_end");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    auto c = cookie->protocol;
+    if ( ! c )
+        throw ValueUnavailable("no current connection available");
+
+    for ( const auto& i : c->analyzer->GetChildren() )
+        c->analyzer->RemoveChildAnalyzer(i);
+}
+
+void rt::protocol_handle_close(const ProtocolHandle& handle) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/protocol_handle_close");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    auto c = cookie->protocol;
+    if ( ! c )
+        throw ValueUnavailable("no current connection available");
+
+    auto child = c->analyzer->FindChild(handle.id());
+    if ( ! child )
+        throw ValueUnavailable(hilti::rt::fmt("unknown child analyzer %s", handle));
+
+    if ( child->IsFinished() || child->Removing() )
+        throw ValueUnavailable(hilti::rt::fmt("child analyzer %s no longer exist", handle));
+
+    child->NextEndOfData(true);
+    child->NextEndOfData(false);
+
+    c->analyzer->RemoveChildAnalyzer(handle.id());
+}
+
+rt::cookie::FileState* rt::cookie::FileStateStack::push() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file-stack-push");
+    auto fid = file_mgr->HashHandle(hilti::rt::fmt("%s.%d", _analyzer_id, ++_id_counter));
+    _stack.emplace_back(fid);
+    return &_stack.back();
+}
+
+const rt::cookie::FileState* rt::cookie::FileStateStack::find(const std::string& fid) const {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file-stack-find");
+
+    // Reverse search as the default state would be on top of the stack.
+    for ( auto i = _stack.rbegin(); i != _stack.rend(); i++ ) {
+        if ( i->fid == fid )
+            return &*i;
+    }
+
+    return nullptr;
+}
+
+void rt::cookie::FileStateStack::remove(const std::string& fid) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file-stack-remove");
+
+    // Reverse search as the default state would be on top of the stack.
+    for ( auto i = _stack.rbegin(); i != _stack.rend(); i++ ) {
+        if ( i->fid == fid ) {
+            _stack.erase((i + 1).base()); // https://stackoverflow.com/a/1830240
+            return;
+        }
+    }
+}
+
+static void _data_in(const char* data, uint64_t len, std::optional<uint64_t> offset,
+                     const std::optional<std::string>& fid) {
+    auto cookie = static_cast<rt::Cookie*>(hilti::rt::context::cookie());
+    auto* fstate = _file_state(cookie, fid);
+    auto data_ = reinterpret_cast<const unsigned char*>(data);
+    auto mime_type = (fstate->mime_type ? *fstate->mime_type : std::string());
+
+    if ( auto c = cookie->protocol ) {
+        auto tag = spicy_mgr->tagForProtocolAnalyzer(c->analyzer->GetAnalyzerTag());
+
+        if ( offset )
+            file_mgr->DataIn(data_, len, *offset, tag, c->analyzer->Conn(), c->is_orig, fstate->fid, mime_type);
+        else
+            file_mgr->DataIn(data_, len, tag, c->analyzer->Conn(), c->is_orig, fstate->fid, mime_type);
+    }
+    else {
+        if ( offset )
+            file_mgr->DataIn(data_, len, *offset, Tag(), nullptr, false, fstate->fid, mime_type);
+        else
+            file_mgr->DataIn(data_, len, Tag(), nullptr, false, fstate->fid, mime_type);
+    }
+}
+
+void rt::terminate_session() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/terminate_session");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto c = cookie->protocol ) {
+        assert(session_mgr);
+        session_mgr->Remove(c->analyzer->Conn());
+    }
+    else
+        throw spicy::rt::ValueUnavailable("terminate_session() not available in the current context");
+}
+
+std::string rt::fuid() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/fuid");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto f = cookie->file ) {
+        if ( auto file = f->analyzer->GetFile() )
+            return file->GetID();
+    }
+
+    throw ValueUnavailable("fuid() not available in current context");
+}
+
+std::string rt::file_begin(const std::optional<std::string>& mime_type) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file_begin");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    auto* fstate = _file_state_stack(cookie)->push();
+    fstate->mime_type = mime_type;
+
+    // Feed an empty chunk into the analysis to force creating the file state inside Zeek.
+    _data_in("", 0, {}, {});
+
+    auto file = file_mgr->LookupFile(fstate->fid);
+    assert(file); // passing in empty data ensures that this is now available
+
+    if ( auto f = cookie->file ) {
+        // We need to initialize some fa_info fields ourselves that would
+        // normally be inferred from the connection.
+
+        // Set the source to the current file analyzer.
+        file->SetSource(file_mgr->GetComponentName(f->analyzer->Tag()));
+
+        // There are some fields inside the new fa_info record that we want to
+        // set, but don't have a Zeek API for. Hence, we need to play some
+        // tricks: we can get to the fa_info value, but read-only; const_cast
+        // comes to our rescue. And then we just write directly into the
+        // record fields.
+        auto rval = file->ToVal()->AsRecordVal();
+        auto current = f->analyzer->GetFile()->ToVal()->AsRecordVal();
+        rval->Assign(id::fa_file->FieldOffset("parent_id"),
+                     current->GetField("id")); // set to parent
+        rval->Assign(id::fa_file->FieldOffset("conns"),
+                     current->GetField("conns")); // copy from parent
+        rval->Assign(id::fa_file->FieldOffset("is_orig"),
+                     current->GetField("is_orig")); // copy from parent
+    }
+
+    // Double check everybody agrees on the file ID.
+    assert(fstate->fid == file->GetID());
+    return fstate->fid;
+}
+
+void rt::file_set_size(const hilti::rt::integer::safe<uint64_t>& size, const std::optional<std::string>& fid) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file_set_size");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    auto* fstate = _file_state(cookie, fid);
+
+    if ( auto c = cookie->protocol ) {
+        auto tag = spicy_mgr->tagForProtocolAnalyzer(c->analyzer->GetAnalyzerTag());
+        file_mgr->SetSize(size, tag, c->analyzer->Conn(), c->is_orig, fstate->fid);
+    }
+    else
+        file_mgr->SetSize(size, Tag(), nullptr, false, fstate->fid);
+}
+
+void rt::file_data_in(const hilti::rt::Bytes& data, const std::optional<std::string>& fid) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file_data_in");
+    _data_in(data.data(), data.size(), {}, fid);
+}
+
+void rt::file_data_in_at_offset(const hilti::rt::Bytes& data, const hilti::rt::integer::safe<uint64_t>& offset,
+                                const std::optional<std::string>& fid) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file_data_in_at_offset");
+    _data_in(data.data(), data.size(), offset, fid);
+}
+
+void rt::file_gap(const hilti::rt::integer::safe<uint64_t>& offset, const hilti::rt::integer::safe<uint64_t>& len,
+                  const std::optional<std::string>& fid) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file_gap");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    auto* fstate = _file_state(cookie, fid);
+
+    if ( auto c = cookie->protocol ) {
+        auto tag = spicy_mgr->tagForProtocolAnalyzer(c->analyzer->GetAnalyzerTag());
+        file_mgr->Gap(offset, len, tag, c->analyzer->Conn(), c->is_orig, fstate->fid);
+    }
+    else
+        file_mgr->Gap(offset, len, Tag(), nullptr, false, fstate->fid);
+}
+
+void rt::file_end(const std::optional<std::string>& fid) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/file_end");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    auto* fstate = _file_state(cookie, fid);
+
+    file_mgr->EndOfFile(fstate->fid);
+    _file_state_stack(cookie)->remove(fstate->fid);
+}
+
+void rt::forward_packet(const hilti::rt::integer::safe<uint32_t>& identifier) {
+    auto _ = hilti::rt::profiler::start("zeek/rt/forward_packet");
+    auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    if ( auto c = cookie->packet )
+        c->next_analyzer = identifier;
+    else
+        throw ValueUnavailable("no current packet analyzer available");
+}
+
+hilti::rt::Time rt::network_time() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/network_time");
+    return hilti::rt::Time(run_state::network_time, hilti::rt::Time::SecondTag());
+}
diff --git a/src/spicy/runtime-support.h b/src/spicy/runtime-support.h
new file mode 100644
index 0000000000..db2f9b96ce
--- /dev/null
+++ b/src/spicy/runtime-support.h
@@ -0,0 +1,891 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+/**
+ * Functions and types available to generated Spicy/Zeek glue code.
+ */
+
+#pragma once
+
+#include <limits>
+#include <memory>
+#include <optional>
+#include <ostream>
+#include <string>
+#include <tuple>
+#include <utility>
+
+#include <hilti/rt/deferred-expression.h>
+#include <hilti/rt/exception.h>
+#include <hilti/rt/extension-points.h>
+#include <hilti/rt/fmt.h>
+#include <hilti/rt/types/all.h>
+
+#include "zeek/Desc.h"
+#include "zeek/spicy/cookie.h"
+#include "zeek/spicy/manager.h"
+#include "zeek/spicy/port-range.h"
+
+namespace zeek::spicy::rt {
+
+// Adapt to rename of exception.
+#if SPICY_VERSION_NUMBER >= 10700
+using UsageError = ::hilti::rt::UsageError;
+#else
+using UsageError = ::hilti::rt::UserException;
+#endif
+
+/**
+ * Exception thrown by event generation code if the value of an `$...`
+ * expression isn't available.
+ */
+class ValueUnavailable : public UsageError {
+public:
+    using UsageError::UsageError;
+};
+
+/**
+ * Exception thrown by event generation code if the values can't be converted
+ * to Zeek.
+ */
+class InvalidValue : public UsageError {
+public:
+    using UsageError::UsageError;
+};
+
+/**
+ * Exception thrown by event generation code if functionality is used
+ * that the current build does not support.
+ */
+class Unsupported : public UsageError {
+public:
+    using UsageError::UsageError;
+};
+
+/**
+ * Exception thrown by event generation code if there's a type mismatch
+ * between the Spicy-side value and what the Zeek event expects.
+ */
+class TypeMismatch : public UsageError {
+public:
+    TypeMismatch(const std::string_view& msg, std::string_view location = "")
+        : UsageError(hilti::rt::fmt("Event parameter mismatch, %s", msg)) {}
+    TypeMismatch(const std::string_view& have, TypePtr want, std::string_view location = "")
+        : TypeMismatch(_fmt(have, want)) {}
+
+private:
+    std::string _fmt(const std::string_view& have, TypePtr want) {
+        ODesc d;
+        want->Describe(&d);
+        return hilti::rt::fmt("cannot convert Spicy value of type '%s' to Zeek value of type '%s'", have,
+                              d.Description());
+    }
+};
+
+/**
+ * Exception thrown by the runtime library when Zeek has flagged a problem.
+ */
+class ZeekError : public UsageError {
+public:
+    using UsageError::UsageError;
+};
+
+/**
+ * Registers a Spicy protocol analyzer with its EVT meta information with the
+ * plugin's runtime.
+ */
+void register_protocol_analyzer(const std::string& name, hilti::rt::Protocol proto,
+                                const hilti::rt::Vector<::zeek::spicy::rt::PortRange>& ports,
+                                const std::string& parser_orig, const std::string& parser_resp,
+                                const std::string& replaces, const std::string& linker_scope);
+
+/**
+ * Registers a Spicy file analyzer with its EVT meta information with the
+ * plugin's runtime.
+ */
+void register_file_analyzer(const std::string& name, const hilti::rt::Vector<std::string>& mime_types,
+                            const std::string& parser, const std::string& replaces, const std::string& linker_scope);
+
+/** Reports a Zeek-side "weird". */
+void weird(const std::string& id, const std::string& addl);
+
+/**
+ * Registers a Spicy packet analyzer with its EVT meta information with the
+ * plugin's runtime.
+ */
+void register_packet_analyzer(const std::string& name, const std::string& parser, const std::string& replaces,
+                              const std::string& linker_scope);
+
+/** Registers a Spicy-generated type to make it available inside Zeek. */
+void register_type(const std::string& ns, const std::string& id, const TypePtr& type);
+
+/** Identifies a Zeek-side type. */
+enum class ZeekTypeTag : uint64_t {
+    Addr,
+    Any,
+    Bool,
+    Count,
+    Double,
+    Enum,
+    Error,
+    File,
+    Func,
+    Int,
+    Interval,
+    List,
+    Opaque,
+    Pattern,
+    Port,
+    Record,
+    String,
+    Subnet,
+    Table,
+    Time,
+    Type,
+    Vector,
+    Void,
+};
+
+extern TypePtr create_base_type(ZeekTypeTag tag);
+
+extern TypePtr create_enum_type(
+    const std::string& ns, const std::string& id,
+    const hilti::rt::Vector<std::tuple<std::string, hilti::rt::integer::safe<int64_t>>>& labels);
+
+using RecordField = std::tuple<std::string, TypePtr, hilti::rt::Bool>; // (ID, type, optional)
+extern TypePtr create_record_type(const std::string& ns, const std::string& id,
+                                  const hilti::rt::Vector<RecordField>& fields);
+
+extern TypePtr create_table_type(TypePtr key, std::optional<TypePtr> value);
+extern TypePtr create_vector_type(const TypePtr& elem);
+
+/** Returns true if an event has at least one handler defined. */
+inline hilti::rt::Bool have_handler(const EventHandlerPtr& handler) { return static_cast<bool>(handler); }
+
+/**
+ * Creates a new event handler under the given name.
+ */
+void install_handler(const std::string& name);
+
+/**
+ * Looks up an event handler by name. The handler must have been installed
+ * before through `install_handler()`.
+ */
+EventHandlerPtr internal_handler(const std::string& name);
+
+/** Raises a Zeek event, given the handler and arguments. */
+void raise_event(const EventHandlerPtr& handler, const hilti::rt::Vector<ValPtr>& args);
+
+/**
+ * Returns the Zeek type of an event's i'th argument. The result's ref count
+ * is not increased.
+ */
+TypePtr event_arg_type(const EventHandlerPtr& handler, const hilti::rt::integer::safe<uint64_t>& idx);
+
+/**
+ * Retrieves the connection ID for the currently processed Zeek connection.
+ * Assumes that the HILTI context's cookie value has been set accordingly.
+ *
+ * @return Zeek value of record type
+ */
+ValPtr& current_conn();
+
+/**
+ * Retrieves the direction of the currently processed Zeek connection.
+ * Assumes that the HILTI context's cookie value has been set accordingly.
+ *
+ * @return Zeek value of boolean type
+ */
+ValPtr& current_is_orig();
+
+/**
+ * Logs a string through the Spicy plugin's debug output.
+ *
+ * @param cookie refers to the connection or file that the message is associated with
+ * @param msg message to log
+ */
+void debug(const Cookie& cookie, const std::string& msg);
+
+/**
+ * Logs a string through the Spicy plugin's debug output. This version logs
+ * the information the currently processed connection or file.
+ *
+ * @param msg message to log
+ */
+void debug(const std::string& msg);
+
+/**
+ * Retrieves the fa_file instance for the currently processed Zeek file.
+ * Assumes that the HILTI context's cookie value has been set accordingly.
+ *
+ * @return Zeek value of record type
+ */
+ValPtr current_file();
+
+/**
+ * Retrieves a `raw_pkt_hdr` instance for the currently processed Zeek packet.
+ * Assumes that the HILTI context's cookie value has been set accordingly.
+ *
+ * @return Zeek value of record type
+ */
+ValPtr current_packet();
+
+/**
+ * Returns true if we're currently parsing the originator side of a
+ * connection.
+ */
+hilti::rt::Bool is_orig();
+
+/**
+ * Returns the current connection's UID.
+ */
+std::string uid();
+
+/**
+ * Returns the current connection's ID tuple.
+ */
+std::tuple<hilti::rt::Address, hilti::rt::Port, hilti::rt::Address, hilti::rt::Port> conn_id();
+
+/** Instructs to Zeek to flip the directionality of the current connecction. */
+void flip_roles();
+
+/**
+ * Returns the number of packets seen so far on the current side of the
+ * current connection.
+ */
+hilti::rt::integer::safe<uint64_t> number_packets();
+
+/**
+ * Triggers a DPD protocol confirmation for the currently processed
+ * connection. Assumes that the HILTI context's cookie value has been set
+ * accordingly.
+ */
+void confirm_protocol();
+
+/**
+ * Triggers a DPD protocol violation for the currently processed connection.
+ * Assumes that the HILTI context's cookie value has been set accordingly.
+ *
+ * @param reason short description of what went wrong
+ */
+void reject_protocol(const std::string& reason);
+
+/**
+ * Opaque handle to a protocol analyzer.
+ */
+class ProtocolHandle {
+public:
+    ProtocolHandle() {}
+    explicit ProtocolHandle(uint64_t id) : _id(id) {}
+
+    uint64_t id() const {
+        if ( ! _id )
+            throw ValueUnavailable("uninitialized protocol handle");
+
+        return *_id;
+    }
+
+    friend std::string to_string(const ProtocolHandle& h, ::hilti::rt::detail::adl::tag) {
+        if ( ! h._id )
+            return "(uninitialized protocol handle)";
+
+        return std::to_string(*h._id);
+    }
+
+    friend std::ostream& operator<<(std::ostream& stream, const ProtocolHandle& h) {
+        return stream << ::hilti::rt::to_string(h);
+    }
+
+private:
+    std::optional<uint64_t> _id;
+};
+
+/**
+ * Adds a Zeek-side child protocol analyzer to the current connection.
+ *
+ * @param analyzer if given, the Zeek-side name of the analyzer to instantiate;
+ * if not given, DPD will be used
+ */
+void protocol_begin(const std::optional<std::string>& analyzer);
+
+/**
+ * Gets a handle to a child analyzer of a given type. If a child of that type
+ * does not yet exist it will be created.
+ *
+ * @param analyzer the Zeek-side name of the analyzer to get (e.g., `HTTP`)
+ *
+ * @return a handle to the child analyzer. When done, the handle should be
+ * closed, either explicitly with protocol_handle_close or implicitly with
+ * protocol_end.
+ */
+ProtocolHandle protocol_handle_get_or_create(const std::string& analyzer);
+
+/**
+ * Forwards data to all previously instantiated Zeek-side child protocol
+ * analyzers.
+ *
+ * @param is_orig true to feed data to originator side, false for responder
+ * @param data next chunk of stream data for child analyzer to process
+ * @param h optional handle to the child analyzer to stream data into
+ */
+void protocol_data_in(const hilti::rt::Bool& is_orig, const hilti::rt::Bytes& data,
+                      const std::optional<ProtocolHandle>& h = {});
+
+/**
+ * Signals a gap in input data to all previously instantiated Zeek-side child
+ * protocol analyzers.
+ *
+ * @param is_orig true to signal gap to originator side, false for responder
+ * @param offset of the gap inside the protocol stream
+ * @param length of the gap
+ * @param h optional handle to the child analyzer to signal a gap to
+ */
+void protocol_gap(const hilti::rt::Bool& is_orig, const hilti::rt::integer::safe<uint64_t>& offset,
+                  const hilti::rt::integer::safe<uint64_t>& len, const std::optional<ProtocolHandle>& h = {});
+
+/**
+ * Signals EOD to all previously instantiated Zeek-side child protocol
+ * analyzers and removes them.
+ */
+void protocol_end();
+
+/**
+ * Closes a protocol handle.
+ *
+ * @param handle handle of the protocol analyzer to close.
+ */
+void protocol_handle_close(const ProtocolHandle& handle);
+
+/**
+ * Signals the beginning of a file to Zeek's file analysis, associating it
+ * with the current connection.
+ *
+ * param mime_type optional mime type passed to Zeek
+ * @returns Zeek-side file ID of the new file
+ */
+std::string file_begin(const std::optional<std::string>& mime_type);
+
+/**
+ * Returns the current file's FUID.
+ */
+std::string fuid();
+
+/**
+ * Terminates the currently active Zeek-side session, flushing all state. Any
+ * subsequent activity will start a new session from scratch.
+ */
+void terminate_session();
+
+/**
+ * Signals the expected size of a file to Zeek's file analysis.
+ *
+ * @param size expected final size of the file
+ * @param fid ID of the file to operate on; if unset, the most recently begun file is used
+ */
+void file_set_size(const hilti::rt::integer::safe<uint64_t>& size, const std::optional<std::string>& fid = {});
+
+/**
+ * Passes file content on to Zeek's file analysis.
+ *
+ * @param data next chunk of data
+ * @param fid ID of the file to operate on; if unset, the most recently begun file is used
+ */
+void file_data_in(const hilti::rt::Bytes& data, const std::optional<std::string>& fid = {});
+
+/**
+ * Passes file content at a specific offset on to Zeek's file analysis.
+ *
+ * @param data next chunk of data
+ * @param offset file offset of the data geing passed in
+ * @param fid ID of the file to operate on; if unset, the most recently begun file is used
+ */
+void file_data_in_at_offset(const hilti::rt::Bytes& data, const hilti::rt::integer::safe<uint64_t>& offset,
+                            const std::optional<std::string>& fid = {});
+
+/**
+ * Signals a gap in a file to Zeek's file analysis.
+ *
+ * @param offset of the gap
+ * @param length of the gap
+ * @param fid ID of the file to operate on; if unset, the most recently begun file is used
+ */
+void file_gap(const hilti::rt::integer::safe<uint64_t>& offset, const hilti::rt::integer::safe<uint64_t>& len,
+              const std::optional<std::string>& fid = {});
+
+/**
+ * Signals the end of a file to Zeek's file analysis.
+ *
+ * @param fid ID of the file to operate on; if unset, the most recently begun file is used
+ */
+void file_end(const std::optional<std::string>& fid = {});
+
+/** Specifies the next-layer packet analyzer. */
+void forward_packet(const hilti::rt::integer::safe<uint32_t>& identifier);
+
+/** Gets the network time from Zeek. */
+hilti::rt::Time network_time();
+
+// Forward-declare to_val() functions.
+template<typename T, typename std::enable_if_t<hilti::rt::is_tuple<T>::value>* = nullptr>
+ValPtr to_val(const T& t, TypePtr target);
+template<typename T, typename std::enable_if_t<std::is_base_of<::hilti::rt::trait::isStruct, T>::value>* = nullptr>
+ValPtr to_val(const T& t, TypePtr target);
+template<typename T, typename std::enable_if_t<std::is_enum<typename T::Value>::value>* = nullptr>
+ValPtr to_val(const T& t, TypePtr target);
+template<typename T, typename std::enable_if_t<std::is_enum<T>::value>* = nullptr>
+ValPtr to_val(const T& t, TypePtr target);
+template<typename K, typename V>
+ValPtr to_val(const hilti::rt::Map<K, V>& s, TypePtr target);
+template<typename T>
+ValPtr to_val(const hilti::rt::Set<T>& s, TypePtr target);
+template<typename T>
+ValPtr to_val(const hilti::rt::Vector<T>& v, TypePtr target);
+template<typename T>
+ValPtr to_val(const std::optional<T>& t, TypePtr target);
+template<typename T>
+ValPtr to_val(const hilti::rt::DeferredExpression<T>& t, TypePtr target);
+template<typename T>
+ValPtr to_val(hilti::rt::integer::safe<T> i, TypePtr target);
+template<typename T>
+ValPtr to_val(const hilti::rt::ValueReference<T>& t, TypePtr target);
+
+inline ValPtr to_val(const hilti::rt::Bool& b, TypePtr target);
+inline ValPtr to_val(const hilti::rt::Address& d, TypePtr target);
+inline ValPtr to_val(const hilti::rt::Bytes& b, TypePtr target);
+inline ValPtr to_val(const hilti::rt::Interval& t, TypePtr target);
+inline ValPtr to_val(const hilti::rt::Port& d, TypePtr target);
+inline ValPtr to_val(const hilti::rt::Time& t, TypePtr target);
+inline ValPtr to_val(const std::string& s, TypePtr target);
+inline ValPtr to_val(double r, TypePtr target);
+
+/**
+ * Converts a Spicy-side optional value to a Zeek value. This assumes the
+ * optional is set, and will throw an exception if not. The result is
+ * returned with ref count +1.
+ */
+template<typename T>
+inline ValPtr to_val(const std::optional<T>& t, TypePtr target) {
+    if ( t.has_value() )
+        return to_val(hilti::rt::optional::value(t), target);
+
+    return nullptr;
+}
+
+/**
+ * Converts a Spicy-side DeferredExpression<T> value to a Zeek value. Such
+ * result values are returned by the ``.?`` operator. If the result is not
+ * set, this will convert into nullptr (which the tuple-to-record to_val()
+ * picks up on).
+ */
+template<typename T>
+inline ValPtr to_val(const hilti::rt::DeferredExpression<T>& t, TypePtr target) {
+    try {
+        return to_val(t(), target);
+    } catch ( const hilti::rt::AttributeNotSet& ) {
+        return nullptr;
+    }
+}
+
+/**
+ * Converts a Spicy-side string to a Zeek value. The result is returned with
+ * ref count +1.
+ */
+inline ValPtr to_val(const std::string& s, TypePtr target) {
+    if ( target->Tag() != TYPE_STRING )
+        throw TypeMismatch("string", target);
+
+    return make_intrusive<StringVal>(s);
+}
+
+/**
+ * Converts a Spicy-side bytes instance to a Zeek value. The result is returned with
+ * ref count +1.
+ */
+inline ValPtr to_val(const hilti::rt::Bytes& b, TypePtr target) {
+    if ( target->Tag() != TYPE_STRING )
+        throw TypeMismatch("string", target);
+
+    return make_intrusive<StringVal>(b.str());
+}
+
+/**
+ * Converts a Spicy-side integer to a Zeek value. The result is
+ * returned with ref count +1.
+ */
+template<typename T>
+inline ValPtr to_val(hilti::rt::integer::safe<T> i, TypePtr target) {
+    ValPtr v = nullptr;
+    if constexpr ( std::is_unsigned<T>::value ) {
+        if ( target->Tag() == TYPE_COUNT )
+            return val_mgr->Count(i);
+
+        if ( target->Tag() == TYPE_INT )
+            return val_mgr->Int(i);
+
+        throw TypeMismatch("uint64", target);
+    }
+    else {
+        if ( target->Tag() == TYPE_INT )
+            return val_mgr->Int(i);
+
+        if ( target->Tag() == TYPE_COUNT ) {
+            if ( i >= 0 )
+                return val_mgr->Count(i);
+            else
+                throw TypeMismatch("negative int64", target);
+        }
+
+        throw TypeMismatch("int64", target);
+    }
+}
+
+template<typename T>
+ValPtr to_val(const hilti::rt::ValueReference<T>& t, TypePtr target) {
+    if ( auto* x = t.get() )
+        return to_val(*x, target);
+
+    return nullptr;
+}
+
+/**
+ * Converts a Spicy-side signed bool to a Zeek value. The result is
+ * returned with ref count +1.
+ */
+inline ValPtr to_val(const hilti::rt::Bool& b, TypePtr target) {
+    if ( target->Tag() != TYPE_BOOL )
+        throw TypeMismatch("bool", target);
+
+    return val_mgr->Bool(b);
+}
+
+/**
+ * Converts a Spicy-side real to a Zeek value. The result is returned with
+ * ref count +1.
+ */
+inline ValPtr to_val(double r, TypePtr target) {
+    if ( target->Tag() != TYPE_DOUBLE )
+        throw TypeMismatch("double", target);
+
+    return make_intrusive<DoubleVal>(r);
+}
+
+/**
+ * Converts a Spicy-side address to a Zeek value. The result is returned with
+ * ref count +1.
+ */
+inline ValPtr to_val(const hilti::rt::Address& d, TypePtr target) {
+    if ( target->Tag() != TYPE_ADDR )
+        throw TypeMismatch("addr", target);
+
+    auto in_addr = d.asInAddr();
+    if ( auto v4 = std::get_if<struct in_addr>(&in_addr) )
+        return make_intrusive<AddrVal>(IPAddr(*v4));
+    else {
+        auto v6 = std::get<struct in6_addr>(in_addr);
+        return make_intrusive<AddrVal>(IPAddr(v6));
+    }
+}
+
+/**
+ * Converts a Spicy-side address to a Zeek value. The result is returned with
+ * ref count +1.
+ */
+inline ValPtr to_val(const hilti::rt::Port& p, TypePtr target) {
+    if ( target->Tag() != TYPE_PORT )
+        throw TypeMismatch("port", target);
+
+#if SPICY_VERSION_NUMBER >= 10700
+    auto proto = p.protocol().value();
+#else
+    auto proto = p.protocol();
+#endif
+
+    switch ( proto ) {
+        case hilti::rt::Protocol::TCP: return val_mgr->Port(p.port(), ::TransportProto::TRANSPORT_TCP);
+
+        case hilti::rt::Protocol::UDP: return val_mgr->Port(p.port(), ::TransportProto::TRANSPORT_UDP);
+
+        case hilti::rt::Protocol::ICMP: return val_mgr->Port(p.port(), ::TransportProto::TRANSPORT_ICMP);
+
+        default: throw InvalidValue("port value with undefined protocol");
+    }
+}
+
+/**
+ * Converts a Spicy-side time to a Zeek value. The result is returned with
+ * ref count +1.
+ */
+inline ValPtr to_val(const hilti::rt::Interval& i, TypePtr target) {
+    if ( target->Tag() != TYPE_INTERVAL )
+        throw TypeMismatch("interval", target);
+
+    return make_intrusive<IntervalVal>(i.seconds());
+}
+
+/**
+ * Converts a Spicy-side time to a Zeek value. The result is returned with
+ * ref count +1.
+ */
+inline ValPtr to_val(const hilti::rt::Time& t, TypePtr target) {
+    if ( target->Tag() != TYPE_TIME )
+        throw TypeMismatch("time", target);
+
+    return make_intrusive<TimeVal>(t.seconds());
+}
+
+/**
+ * Converts a Spicy-side vector to a Zeek value. The result is returned with
+ * ref count +1.
+ */
+template<typename T>
+inline ValPtr to_val(const hilti::rt::Vector<T>& v, TypePtr target) {
+    if ( target->Tag() != TYPE_VECTOR && target->Tag() != TYPE_LIST )
+        throw TypeMismatch("expected vector or list", target);
+
+    auto vt = cast_intrusive<VectorType>(target);
+    auto zv = make_intrusive<VectorVal>(vt);
+    for ( const auto& i : v )
+        zv->Assign(zv->Size(), to_val(i, vt->Yield()));
+
+    return zv;
+}
+
+/**
+ * Converts a Spicy-side map to a Zeek value. The result is returned with
+ * ref count +1.
+ */
+template<typename K, typename V>
+inline ValPtr to_val(const hilti::rt::Map<K, V>& m, TypePtr target) {
+    if constexpr ( hilti::rt::is_tuple<K>::value )
+        throw TypeMismatch("internal error: sets with tuples not yet supported in to_val()");
+
+    if ( target->Tag() != TYPE_TABLE )
+        throw TypeMismatch("map", target);
+
+    auto tt = cast_intrusive<TableType>(target);
+    if ( tt->IsSet() )
+        throw TypeMismatch("map", target);
+
+    if ( tt->GetIndexTypes().size() != 1 )
+        throw TypeMismatch("map with non-tuple elements", target);
+
+    auto zv = make_intrusive<TableVal>(tt);
+
+    for ( const auto& i : m ) {
+        auto k = to_val(i.first, tt->GetIndexTypes()[0]);
+        auto v = to_val(i.second, tt->Yield());
+        zv->Assign(std::move(k), std::move(v));
+    }
+
+    return zv;
+} // namespace spicy::rt
+
+/**
+ * Converts a Spicy-side set to a Zeek value. The result is returned with
+ * ref count +1.
+ */
+template<typename T>
+inline ValPtr to_val(const hilti::rt::Set<T>& s, TypePtr target) {
+    if ( target->Tag() != TYPE_TABLE )
+        throw TypeMismatch("set", target);
+
+    auto tt = cast_intrusive<TableType>(target);
+    if ( ! tt->IsSet() )
+        throw TypeMismatch("set", target);
+
+    auto zv = make_intrusive<TableVal>(tt);
+
+    for ( const auto& i : s ) {
+        if constexpr ( hilti::rt::is_tuple<T>::value )
+            throw TypeMismatch("internal error: sets with tuples not yet supported in to_val()");
+        else {
+            if ( tt->GetIndexTypes().size() != 1 )
+                throw TypeMismatch("set with non-tuple elements", target);
+
+            auto idx = to_val(i, tt->GetIndexTypes()[0]);
+            zv->Assign(std::move(idx), nullptr);
+        }
+    }
+
+    return zv;
+}
+
+namespace {
+template<typename, template<typename...> typename>
+struct is_instance_impl : std::false_type {};
+
+template<template<typename...> typename U, typename... Ts>
+struct is_instance_impl<U<Ts...>, U> : std::true_type {};
+} // namespace
+
+template<typename T, template<typename...> typename U>
+using is_instance = is_instance_impl<std::remove_cv_t<T>, U>;
+
+template<typename T>
+inline void set_record_field(RecordVal* rval, const IntrusivePtr<RecordType>& rtype, int idx, const T& x) {
+    using NoConversionNeeded = std::integral_constant<
+        bool, std::is_same_v<T, int8_t> || std::is_same_v<T, int16_t> || std::is_same_v<T, int32_t> ||
+                  std::is_same_v<T, int64_t> || std::is_same_v<T, uint8_t> || std::is_same_v<T, uint16_t> ||
+                  std::is_same_v<T, uint32_t> || std::is_same_v<T, uint64_t> || std::is_same_v<T, double> ||
+                  std::is_same_v<T, std::string> || std::is_same_v<T, bool>>;
+
+    using IsSignedInteger = std::integral_constant<bool, std::is_same_v<T, hilti::rt::integer::safe<int8_t>> ||
+                                                             std::is_same_v<T, hilti::rt::integer::safe<int16_t>> ||
+                                                             std::is_same_v<T, hilti::rt::integer::safe<int32_t>> ||
+                                                             std::is_same_v<T, hilti::rt::integer::safe<int64_t>>>;
+
+    using IsUnsignedInteger = std::integral_constant<bool, std::is_same_v<T, hilti::rt::integer::safe<uint8_t>> ||
+                                                               std::is_same_v<T, hilti::rt::integer::safe<uint16_t>> ||
+                                                               std::is_same_v<T, hilti::rt::integer::safe<uint32_t>> ||
+                                                               std::is_same_v<T, hilti::rt::integer::safe<uint64_t>>>;
+
+    if constexpr ( NoConversionNeeded::value )
+        rval->Assign(idx, x);
+    else if constexpr ( IsSignedInteger::value )
+#if ZEEK_VERSION_NUMBER >= 50200
+        rval->Assign(idx, static_cast<int64_t>(x.Ref()));
+#else
+        rval->Assign(idx, static_cast<int>(x.Ref()));
+#endif
+    else if constexpr ( IsUnsignedInteger::value )
+        rval->Assign(idx, static_cast<uint64_t>(x.Ref()));
+    else if constexpr ( std::is_same_v<T, hilti::rt::Bytes> )
+        rval->Assign(idx, x.str());
+    else if constexpr ( std::is_same_v<T, hilti::rt::Bool> )
+        rval->Assign(idx, static_cast<bool>(x));
+    else if constexpr ( std::is_same_v<T, std::string> )
+        rval->Assign(idx, x);
+    else if constexpr ( std::is_same_v<T, hilti::rt::Time> )
+        rval->AssignTime(idx, x.seconds());
+    else if constexpr ( std::is_same_v<T, hilti::rt::Interval> )
+        rval->AssignInterval(idx, x.seconds());
+    else if constexpr ( std::is_same_v<T, hilti::rt::Null> ) {
+        // "Null" turns into an unset optional record field.
+    }
+    else if constexpr ( is_instance<T, std::optional>::value ) {
+        if ( x.has_value() )
+            set_record_field(rval, rtype, idx, *x);
+    }
+    else if constexpr ( is_instance<T, hilti::rt::DeferredExpression>::value ) {
+        try {
+            set_record_field(rval, rtype, idx, x());
+        } catch ( const hilti::rt::AttributeNotSet& ) {
+            // leave unset
+        }
+    }
+    else {
+        ValPtr v = nullptr;
+
+        // This may return a nullptr in cases where the field is to be left unset.
+        v = to_val(x, rtype->GetFieldType(idx));
+
+        if ( v )
+            rval->Assign(idx, v);
+        else {
+            // Field must be &optional or &default.
+            if ( auto attrs = rtype->FieldDecl(idx)->attrs;
+                 ! attrs || ! (attrs->Find(detail::ATTR_DEFAULT) || attrs->Find(detail::ATTR_OPTIONAL)) )
+                throw TypeMismatch(hilti::rt::fmt("missing initialization for field '%s'", rtype->FieldName(idx)));
+        }
+    }
+}
+
+/**
+ * Converts a Spicy-side tuple to a Zeek record value. The result is returned
+ * with ref count +1.
+ */
+template<typename T, typename std::enable_if_t<hilti::rt::is_tuple<T>::value>*>
+inline ValPtr to_val(const T& t, TypePtr target) {
+    if ( target->Tag() != TYPE_RECORD )
+        throw TypeMismatch("tuple", target);
+
+    auto rtype = cast_intrusive<RecordType>(target);
+
+    if ( std::tuple_size<T>::value != rtype->NumFields() )
+        throw TypeMismatch("tuple", target);
+
+    auto rval = make_intrusive<RecordVal>(rtype);
+    int idx = 0;
+    hilti::rt::tuple_for_each(t, [&](const auto& x) { set_record_field(rval.get(), rtype, idx++, x); });
+
+    return rval;
+}
+
+/**
+ * Converts Spicy-side struct to a Zeek record value. The result is returned
+ * with a ref count +1.
+ */
+template<typename T, typename std::enable_if_t<std::is_base_of<::hilti::rt::trait::isStruct, T>::value>*>
+inline ValPtr to_val(const T& t, TypePtr target) {
+    if ( target->Tag() != TYPE_RECORD )
+        throw TypeMismatch("struct", target);
+
+    auto rtype = cast_intrusive<RecordType>(target);
+
+    auto rval = make_intrusive<RecordVal>(rtype);
+    int idx = 0;
+
+    auto num_fields = rtype->NumFields();
+
+    t.__visit([&](const auto& name, const auto& val) {
+        if ( idx >= num_fields )
+            throw TypeMismatch(hilti::rt::fmt("no matching record field for field '%s'", name));
+
+        auto field = rtype->GetFieldType(idx);
+        std::string field_name = rtype->FieldName(idx);
+
+        if ( field_name != name )
+            throw TypeMismatch(hilti::rt::fmt("mismatch in field name: expected '%s', found '%s'", name, field_name));
+
+        set_record_field(rval.get(), rtype, idx++, val);
+    });
+
+    // We already check above that all Spicy-side fields are mapped so we
+    // can only hit this if there are uninitialized Zeek-side fields left.
+    if ( idx != num_fields )
+        throw TypeMismatch(hilti::rt::fmt("missing initialization for field '%s'", rtype->FieldName(idx + 1)));
+
+    return rval;
+}
+
+/**
+ * Converts a Spicy-side enum to a Zeek record value. The result is returned
+ * with ref count +1.
+ */
+template<typename T, typename std::enable_if_t<std::is_enum<typename T::Value>::value>*>
+inline ValPtr to_val(const T& t, TypePtr target) {
+#if SPICY_VERSION_NUMBER >= 10700
+    auto proto = typename T::Value(t.value());
+#else
+    auto proto = t;
+#endif
+
+    return to_val(proto, target);
+}
+
+/**
+ * Converts a C++ Spicy-side enum to a Zeek record value. The result is returned
+ * with ref count +1. This specialization is provided for compatibility with <spicy-1.7.0.
+ *
+ * TODO(bbannier): remove this once we drop support for Spicy versions before 1.7.0.
+ */
+template<typename T, typename std::enable_if_t<std::is_enum<T>::value>*>
+inline ValPtr to_val(const T& t, TypePtr target) {
+    if ( target->Tag() != TYPE_ENUM )
+        throw TypeMismatch("enum", target);
+
+    // We'll usually be getting an int64_t for T, but allow other signed ints
+    // as well.
+    static_assert(std::is_signed<std::underlying_type_t<T>>{});
+    auto it = static_cast<int64_t>(t);
+
+    // Zeek's enum can't be negative, so we swap in max_int for our Undef (-1).
+    if ( it == std::numeric_limits<int64_t>::max() )
+        // can't allow this ...
+        throw InvalidValue("enum values with value max_int not supported by Zeek integration");
+
+    zeek_int_t bt = (it >= 0 ? it : std::numeric_limits<::zeek_int_t>::max());
+
+    return target->AsEnumType()->GetEnumVal(bt);
+}
+
+} // namespace zeek::spicy::rt
diff --git a/src/spicy/spicy.bif b/src/spicy/spicy.bif
new file mode 100644
index 0000000000..cb2c685a2e
--- /dev/null
+++ b/src/spicy/spicy.bif
@@ -0,0 +1,62 @@
+# See the file "COPYING" in the main distribution directory for copyright.
+
+module Spicy;
+
+%%{
+    #include "zeek/spicy/manager.h"
+%%}
+
+# Constant for testing if Spicy is available.
+const available: bool;
+
+# Show output of Spicy print statements.
+const enable_print: bool;
+
+# Record and display profiling information.
+const enable_profiling: bool;
+
+# abort() instead of throwing HILTI # exceptions.
+const abort_on_exceptions: bool;
+
+# Include backtraces when reporting unhandled exceptions.
+const show_backtraces: bool;
+
+# Maximum depth of recursive file analysis.
+const max_file_depth: count;
+
+event max_file_depth_exceeded%(f: fa_file, args: Files::AnalyzerArgs, limit: count%);
+
+function Spicy::__toggle_analyzer%(tag: any, enable: bool%) : bool
+        %{
+        if ( tag->GetType()->Tag() != TYPE_ENUM ) {
+            zeek::reporter->Warning("Spicy::disable_analyzer() must receive an analyzer tag");
+            return val_mgr->Bool(false);
+            }
+
+        bool result = spicy_mgr->toggleAnalyzer(tag->AsEnumVal(), enable);
+        if ( ! result )
+            zeek::reporter->Warning("could not toggle Spicy analyzer");
+
+        return val_mgr->Bool(result);
+        %}
+
+type ResourceUsage: record;
+
+function Spicy::__resource_usage%(%) : Spicy::ResourceUsage
+    %{
+    auto ru = hilti::rt::resource_usage();
+
+    auto r = zeek::make_intrusive<zeek::RecordVal>(BifType::Record::Spicy::ResourceUsage);
+    int n = 0;
+    r->Assign(n++, ru.user_time);
+    r->Assign(n++, ru.system_time);
+    r->Assign(n++, ru.memory_heap);
+    r->Assign(n++, ru.num_fibers);
+    r->Assign(n++, ru.max_fibers);
+#if SPICY_VERSION_NUMBER >= 10800
+    r->Assign(n++, ru.max_fiber_stack_size);
+#endif
+    r->Assign(n++, ru.cached_fibers);
+
+    return r;
+    %}
diff --git a/src/spicy/spicyz/CMakeLists.txt b/src/spicy/spicyz/CMakeLists.txt
new file mode 100644
index 0000000000..003564af21
--- /dev/null
+++ b/src/spicy/spicyz/CMakeLists.txt
@@ -0,0 +1,11 @@
+# See the file "COPYING" in the main distribution directory for copyright.
+
+configure_file(config.h.in config.h)
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/config.h DESTINATION include/zeek/spicy/spicyz)
+
+add_executable(spicyz driver.cc glue-compiler.cc main.cc)
+target_compile_options(spicyz PRIVATE "-Wall")
+target_include_directories(spicyz PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+target_link_libraries(spicyz PRIVATE hilti spicy)
+
+install(TARGETS spicyz DESTINATION ${CMAKE_INSTALL_BINDIR})
diff --git a/src/spicy/spicyz/config.h.in b/src/spicy/spicyz/config.h.in
new file mode 100644
index 0000000000..a3bed47c21
--- /dev/null
+++ b/src/spicy/spicyz/config.h.in
@@ -0,0 +1,67 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include <string>
+
+#include <hilti/rt/filesystem.h>
+
+#include "zeek/zeek-config-paths.h"
+
+namespace zeek::spicy::configuration {
+
+using path = hilti::rt::filesystem::path;
+
+namespace {
+
+// This mimics zeek-config to get the Zeek include directories.
+static inline void add_path(std::string& old_path, const path& new_path) {
+    if ( new_path.empty() )
+        return;
+
+    if ( ! old_path.empty() )
+        old_path += ":";
+
+    old_path += new_path.native();
+}
+} // namespace
+
+static path get_env_path_or(const char* name, const char* default_) {
+    assert(std::strlen(default_) != 0);
+    if ( auto p = hilti::rt::getenv(name); p && ! p->empty() )
+        return path(*p);
+    else
+        return default_;
+}
+
+inline const auto InstallBinDir() { return path("${CMAKE_INSTALL_PREFIX}") / "${CMAKE_INSTALL_BINDIR}"; }
+
+inline const auto LibraryPath() { return get_env_path_or("ZEEK_SPICY_LIBRARY_PATH", "@ZEEK_SPICY_LIBRARY_PATH@"); }
+
+inline const auto ModulePath() { return get_env_path_or("ZEEK_SPICY_MODULE_PATH", "@ZEEK_SPICY_MODULE_PATH@"); }
+
+inline const auto DataPath() { return get_env_path_or("ZEEK_SPICY_DATA_PATH", "@ZEEK_SPICY_DATA_PATH@"); }
+
+inline const auto CxxZeekIncludesDirectories() {
+    std::string includes;
+    add_path(includes, path("${CMAKE_INSTALL_PREFIX}") / "${CMAKE_INSTALL_INCLUDEDIR}");
+
+    // When changing any of the following, also update "zeek-config.in".
+    add_path(includes, "${ZEEK_CONFIG_PCAP_INCLUDE_DIR}");
+    add_path(includes, "${ZEEK_CONFIG_ZLIB_INCLUDE_DIR}");
+    add_path(includes, "${ZEEK_CONFIG_OPENSSL_INCLUDE_DIR}");
+    add_path(includes, "${ZEEK_CONFIG_LibKrb5_INCLUDE_DIR}");
+    add_path(includes, "${ZEEK_CONFIG_GooglePerftools_INCLUDE_DIR}");
+
+    return includes;
+}
+
+// Version of Spicy that we are compiling against.
+#cmakedefine SPICY_VERSION_NUMBER ${SPICY_VERSION_NUMBER}
+#cmakedefine ZEEK_VERSION_NUMBER ${ZEEK_VERSION_NUMBER}
+
+inline const auto SpicyVersion = "${SPICY_VERSION}";
+inline const auto ZeekVersion = "${VERSION}";
+inline const auto InstallPrefix = path("${CMAKE_INSTALL_PREFIX}");
+
+} // namespace zeek::spicy::configuration
diff --git a/src/spicy/spicyz/driver.cc b/src/spicy/spicyz/driver.cc
new file mode 100644
index 0000000000..691ec5cfea
--- /dev/null
+++ b/src/spicy/spicyz/driver.cc
@@ -0,0 +1,301 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "driver.h"
+
+#include <getopt.h>
+
+#include <algorithm>
+#include <memory>
+#include <string>
+#include <type_traits>
+#include <utility>
+#include <vector>
+
+#include <spicy/rt/libspicy.h>
+
+#include <hilti/ast/declarations/type.h>
+#include <hilti/compiler/init.h>
+
+#include <spicy/ast/detail/visitor.h>
+#include <spicy/ast/types/unit.h>
+#include <spicy/autogen/config.h>
+#include <spicy/compiler/init.h>
+
+#include "config.h"
+#include "glue-compiler.h"
+
+using namespace zeek::spicy;
+using Driver = ::zeek::spicy::Driver;
+
+/**
+ * Visitor to type information from a HILTI AST. This extracts user-visible
+ * types only, we skip any internal ones.
+ */
+struct VisitorTypes : public hilti::visitor::PreOrder<void, VisitorTypes> {
+    explicit VisitorTypes(Driver* driver, hilti::ID module, hilti::rt::filesystem::path path, bool is_resolved)
+        : driver(driver), module(std::move(module)), path(std::move(path)), is_resolved(is_resolved) {}
+
+    void operator()(const hilti::declaration::Type& t) {
+        assert(! t.type().typeID() || *t.type().typeID() == hilti::ID(module, t.id())); // ensure consistent IDs
+
+        if ( module == hilti::ID("hilti") || module == hilti::ID("spicy_rt") || module == hilti::ID("zeek_rt") )
+            return;
+
+        types.emplace_back(TypeInfo{
+            .id = hilti::ID(module, t.id()),
+            .type = t.type()._clone().as<hilti::Type>(),
+            .linkage = t.linkage(),
+            .is_resolved = is_resolved,
+            .module_id = module,
+            .module_path = path,
+            .location = t.meta().location(),
+        });
+    }
+
+    Driver* driver;
+    hilti::ID module;
+    hilti::rt::filesystem::path path;
+    bool is_resolved;
+    std::vector<TypeInfo> types;
+};
+
+Driver::Driver(std::unique_ptr<GlueCompiler> glue, const char* argv0, hilti::rt::filesystem::path lib_path,
+               int zeek_version)
+    : ::spicy::Driver("<Spicy Plugin for Zeek>"), _glue(std::move(glue)) {
+    _glue->Init(this, zeek_version);
+
+    ::spicy::Configuration::extendHiltiConfiguration();
+    auto options = hiltiOptions();
+
+    // Note that, different from Spicy's own SPICY_PATH, this extends the
+    // search path, it doesn't replace it.
+    if ( auto path = hilti::rt::getenv("ZEEK_SPICY_PATH") ) {
+        for ( const auto& dir : hilti::rt::split(*path, ":") ) {
+            if ( dir.size() )
+                options.library_paths.emplace_back(dir);
+        }
+    }
+
+    try {
+        lib_path = hilti::rt::filesystem::weakly_canonical(lib_path);
+
+        // We make our search paths relative to the plugin library, so that the
+        // plugin installation can move around.
+        options.library_paths.push_back(lib_path);
+    } catch ( const hilti::rt::filesystem::filesystem_error& e ) {
+        ::hilti::logger().warning(
+            hilti::util::fmt("invalid plugin base directory %s: %s", lib_path.native(), e.what()));
+    }
+
+    for ( const auto& i : hilti::util::split(configuration::CxxZeekIncludesDirectories(), ":") ) {
+        if ( i.size() )
+            options.cxx_include_paths.emplace_back(i);
+    }
+
+#ifdef DEBUG
+    SPICY_DEBUG("Search paths:");
+
+    auto hilti_options = hiltiOptions();
+    for ( const auto& x : hilti_options.library_paths ) {
+        SPICY_DEBUG(hilti::rt::fmt("  %s", x.native()));
+    }
+#endif
+
+    setCompilerOptions(std::move(options));
+
+    auto& config = ::spicy::configuration();
+    config.preprocessor_constants["HAVE_ZEEK"] = 1;
+    config.preprocessor_constants["ZEEK_VERSION"] = zeek_version;
+
+#if SPICY_VERSION_NUMBER >= 10500
+    ::hilti::init();
+    ::spicy::init();
+#endif
+}
+
+Driver::~Driver() {}
+
+hilti::Result<hilti::Nothing> Driver::loadFile(hilti::rt::filesystem::path file,
+                                               const hilti::rt::filesystem::path& relative_to) {
+    std::error_code ec;
+    if ( ! relative_to.empty() && file.is_relative() ) {
+        auto p = relative_to / file;
+        auto exists = hilti::rt::filesystem::exists(p, ec);
+
+        if ( ec )
+            return hilti::rt::result::Error(
+                hilti::util::fmt("error computing path of %s relative to %s: %s", file, relative_to, ec.message()));
+
+        if ( exists )
+            file = p;
+    }
+
+    auto exists = hilti::rt::filesystem::exists(file, ec);
+
+    if ( ec )
+        return hilti::rt::result::Error(
+            hilti::util::fmt("cannot check whether file %s exists: %s", file, ec.message()));
+
+    if ( ! exists ) {
+        if ( auto path = hilti::util::findInPaths(file, hiltiOptions().library_paths) )
+            file = *path;
+        else
+            return hilti::result::Error(hilti::util::fmt("Spicy plugin cannot find file %s", file));
+    }
+
+    auto rpath = hilti::util::normalizePath(file);
+    auto ext = rpath.extension();
+
+    if ( ext == ".evt" ) {
+        SPICY_DEBUG(hilti::util::fmt("Loading EVT file %s", rpath));
+        if ( _glue->loadEvtFile(rpath) )
+            return hilti::Nothing();
+        else
+            return hilti::result::Error(hilti::util::fmt("error loading EVT file %s", rpath));
+    }
+
+    if ( ext == ".spicy" ) {
+        SPICY_DEBUG(hilti::util::fmt("Loading Spicy file %s", rpath));
+        if ( auto rc = addInput(rpath); ! rc )
+            return rc.error();
+
+        return hilti::Nothing();
+    }
+
+    if ( ext == ".hlt" ) {
+        SPICY_DEBUG(hilti::util::fmt("Loading HILTI file %s", rpath));
+        if ( auto rc = addInput(rpath) )
+            return hilti::Nothing();
+        else
+            return rc.error();
+    }
+
+    if ( ext == ".hlto" ) {
+        SPICY_DEBUG(hilti::util::fmt("Loading precompiled HILTI code %s", rpath));
+        if ( auto rc = addInput(rpath) )
+            return hilti::Nothing();
+        else
+            return rc.error();
+    }
+
+    if ( ext == ".cc" || ext == ".cxx" ) {
+        SPICY_DEBUG(hilti::util::fmt("Loading C++ code %s", rpath));
+        if ( auto rc = addInput(rpath) )
+            return hilti::Nothing();
+        else
+            return rc.error();
+    }
+
+    return hilti::result::Error(hilti::util::fmt("unknown file type passed to Spicy loader: %s", rpath));
+}
+
+hilti::Result<hilti::Nothing> Driver::compile() {
+    if ( ! hasInputs() )
+        return hilti::Nothing();
+
+    SPICY_DEBUG("Running Spicy driver");
+
+    if ( auto x = ::spicy::Driver::compile(); ! x )
+        return x.error();
+
+    SPICY_DEBUG("Done with Spicy driver");
+    return hilti::Nothing();
+}
+
+hilti::Result<TypeInfo> Driver::lookupType(const hilti::ID& id) {
+    if ( auto x = _types.find(id); x != _types.end() )
+        return x->second;
+    else
+        return hilti::result::Error(hilti::util::fmt("unknown type '%s'", id));
+}
+
+std::vector<TypeInfo> Driver::types() const {
+    std::vector<TypeInfo> result;
+    result.reserve(_types.size());
+
+    for ( const auto& t : _types )
+        result.push_back(t.second);
+
+    return result;
+}
+
+std::vector<std::pair<TypeInfo, hilti::ID>> Driver::exportedTypes() const {
+    std::vector<std::pair<TypeInfo, hilti::ID>> result;
+
+    for ( const auto& [spicy_id, zeek_id, _] : _glue->exportedIDs() ) {
+        if ( auto t = _types.find(spicy_id); t != _types.end() )
+            result.emplace_back(t->second, zeek_id);
+        else {
+            hilti::logger().error(hilti::rt::fmt("unknown type '%s' exported", spicy_id));
+            continue;
+        }
+    }
+
+    // Automatically export public enums for backwards compatibility.
+    for ( const auto& t : _public_enums )
+        result.emplace_back(t, t.id);
+
+    return result;
+}
+
+void Driver::hookNewASTPreCompilation(std::shared_ptr<hilti::Unit> unit) {
+    if ( unit->extension() != ".spicy" )
+        return;
+
+    if ( unit->path().empty() )
+        // Ignore modules constructed in memory.
+        return;
+
+    auto v = VisitorTypes(this, unit->id(), unit->path(), false);
+    for ( auto i : v.walk(unit->module()) )
+        v.dispatch(i);
+
+    for ( const auto& ti : v.types ) {
+        SPICY_DEBUG(hilti::util::fmt("  Got type '%s' (pre-compile)", ti.id));
+        _types[ti.id] = ti;
+
+        if ( auto et = ti.type.tryAs<hilti::type::Enum>(); et && ti.linkage == hilti::declaration::Linkage::Public ) {
+            SPICY_DEBUG("    Automatically exporting public enum for backwards compatibility");
+            _public_enums.push_back(ti);
+        }
+
+        hookNewType(ti);
+    }
+}
+
+void Driver::hookNewASTPostCompilation(std::shared_ptr<hilti::Unit> unit) {
+    if ( unit->extension() != ".spicy" )
+        return;
+
+    if ( unit->path().empty() )
+        // Ignore modules constructed in memory.
+        return;
+
+    auto v = VisitorTypes(this, unit->id(), unit->path(), true);
+    for ( auto i : v.walk(unit->module()) )
+        v.dispatch(i);
+
+    for ( auto&& t : v.types ) {
+        SPICY_DEBUG(hilti::util::fmt("  Got type '%s' (post-compile)", t.id));
+        _types[t.id] = t;
+        hookNewType(t);
+    }
+
+    _glue->addSpicyModule(unit->id(), unit->path());
+}
+
+hilti::Result<hilti::Nothing> Driver::hookCompilationFinished(const hilti::Plugin& plugin) {
+    if ( ! _need_glue )
+        return hilti::Nothing();
+
+    _need_glue = false;
+
+    if ( _glue->compile() )
+        return hilti::Nothing();
+    else
+        return hilti::result::Error("glue compilation failed");
+}
+
+void Driver::hookInitRuntime() { ::spicy::rt::init(); }
+
+void Driver::hookFinishRuntime() { ::spicy::rt::done(); }
diff --git a/src/spicy/spicyz/driver.h b/src/spicy/spicyz/driver.h
new file mode 100644
index 0000000000..8dd2422ce2
--- /dev/null
+++ b/src/spicy/spicyz/driver.h
@@ -0,0 +1,199 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include <memory>
+#include <string>
+#include <unordered_map>
+#include <utility>
+#include <vector>
+
+#include <hilti/rt/filesystem.h>
+
+#include <spicy/rt/driver.h>
+
+#include <hilti/ast/declaration.h>
+#include <hilti/ast/id.h>
+#include <hilti/ast/type.h>
+#include <hilti/base/logger.h>
+#include <hilti/compiler/driver.h>
+
+#include <spicy/compiler/driver.h>
+
+// Debug stream for compiler messages.
+static const ::hilti::logging::DebugStream ZeekPlugin("zeek");
+
+// Macro helper to report debug messages.
+#define SPICY_DEBUG(msg) HILTI_DEBUG(ZeekPlugin, std::string(msg));
+
+namespace zeek::spicy {
+
+class GlueCompiler;
+
+struct TypeInfo {
+    hilti::ID id;                        /**< fully-qualified name of the type */
+    hilti::Type type;                    /**< the type itself */
+    hilti::declaration::Linkage linkage; /**< linkage of of the type's declaration */
+    bool is_resolved = false; /**< true if we are far enough in processing that the type has been fully resolved */
+    hilti::ID module_id;      /**< name of module type is defined in */
+    hilti::rt::filesystem::path module_path; /**< path of module that type is defined in */
+    hilti::Location location;                /**< location of type's declaration */
+};
+
+/** Spicy compilation driver. */
+class Driver : public ::spicy::Driver {
+public:
+    /**
+     * Constructor.
+     *
+     * @param argv0 path to current executable, or empty to determine automatically
+     * @param lib_path Path to library files the Spicy support needs
+     * @param zeek_version Version number of Zeek we're working with
+     */
+    Driver(std::unique_ptr<GlueCompiler> glue, const char* argv0, hilti::rt::filesystem::path lib_path,
+           int zeek_version);
+
+    /** Destructor. */
+    ~Driver();
+
+    /**
+     * Schedules an *.spicy, *.evt, or *.hlt file for loading. Note that it
+     * won't necessarily load them all immediately, but may queue some for
+     * later processing.
+     *
+     * @param file file to load, which will be searched across all current search paths
+     * @param relative_to if given, relative paths will be interpreted as relative to this directory
+     */
+    hilti::Result<hilti::Nothing> loadFile(hilti::rt::filesystem::path file,
+                                           const hilti::rt::filesystem::path& relative_to = {});
+
+    /**
+     * After user scripts have been read, compiles and links all resulting
+     * Spicy code. Note that compiler and driver options must have been set
+     * before calling this.
+     *
+     * Must be called before any packet processing starts.
+     *
+     * @return False if an error occurred. It will have been reported already.
+     */
+    hilti::Result<hilti::Nothing> compile();
+
+    /**
+     * Returns meta information for a type. The Spicy module defining the type
+     * must have been compiled already for it to be found.
+     *
+     * @param id fully qualified name of type to look up
+     * @return meta data, or an error if the type is not (yet) known
+     */
+    hilti::Result<TypeInfo> lookupType(const hilti::ID& id);
+
+    /**
+     * Returns meta information for a type, enforcing it to be a of a certain
+     * kind. The Spicy module defining the type must have been compiled already
+     * for it to be found.
+     *
+     * @tparam T type to enforce; method will return an error if type is not of this class
+     * @param id fully qualified name of type to look up
+     * @return meta data, or an error if the type is not (yet) known
+     */
+    template<typename T>
+    hilti::Result<TypeInfo> lookupType(const hilti::ID& id) {
+        auto ti = lookupType(id);
+        if ( ! ti )
+            return ti.error();
+
+        if ( ! ti->type.isA<T>() )
+            return hilti::result::Error(hilti::util::fmt("'%s' is not of expected type", id));
+
+        return ti;
+    }
+
+    /**
+     * Returns all types seen so far during processing of Spicy files.
+     * Depending on where we are at with processing, these may or may not be
+     * resolved yet (as indicated by their `is_resolved` field).
+
+     * @return list of types
+     */
+    std::vector<TypeInfo> types() const;
+
+    /**
+     * Returns all *exported* types seen so far during processing of Spicy
+     * files, including their desired Zeek-side names. Depending on where we
+     * are at with processing, these may or may not be resolved yet (as
+     * indicated by their `is_resolved` field).
+     *
+     * @return list of pairs of type and Zeek-side name
+     */
+    std::vector<std::pair<TypeInfo, hilti::ID>> exportedTypes() const;
+
+    /** Returns true if we're running out of the plugin's build directory. */
+    bool usingBuildDirectory() const { return _using_build_directory; }
+
+    /** Returns the glue compiler in use by the driver. */
+    const auto* glueCompiler() const { return _glue.get(); }
+
+    /**
+     * Parses some options command-line style *before* Zeek-side scripts have
+     * been processed. Most of the option processing happens in
+     * `parseOptionsPostScript()` instead, except for things that must be in
+     * place already before script processing.
+     *
+     * @param options space-separated string of command line argument to parse
+     * @return success if all argument could be parsed, or a suitable error message
+     */
+    static hilti::Result<hilti::Nothing> parseOptionsPreScript(const std::string& options);
+
+    /**
+     * Parses options command-line style after Zeek-side scripts have been
+     * fully procssed. Most of the option processing happens here (vs. in
+     * `parseOptionsPreScript()`) except for things that must be in place
+     * already before script processing.
+     *
+     * @param options space-separated string of command line argument to parse
+     * @param driver_options instance of options to update per parsed arguments
+     * @param compiler_options instance of options to update per parsed arguments
+     * @return success if all argument could be parsed, or a suitable error message
+     */
+    static hilti::Result<hilti::Nothing> parseOptionsPostScript(const std::string& options,
+                                                                hilti::driver::Options* driver_options,
+                                                                hilti::Options* compiler_options);
+
+    /** Prints a usage message for options supported by `parseOptions{Pre,Post}Script()`. */
+    static void usage(std::ostream& out);
+
+protected:
+    /**
+     * Hook executed for all type declarations encountered in a Spicy module.
+     * Derived classes may override this to add custom processing. This hooks
+     * executes twices for each declaration: once before we compile the AST
+     * (meaning types have not been resolved yet), and once after. The type
+     * info's `is_resolved` field indicates which of the two we're in.
+     *
+     * @param t type's meta information
+     */
+    virtual void hookNewType(const TypeInfo& ti) {}
+
+    /** Overridden from HILTI driver. */
+    void hookNewASTPreCompilation(std::shared_ptr<hilti::Unit> unit) override;
+
+    /** Overridden from HILTI driver. */
+    void hookNewASTPostCompilation(std::shared_ptr<hilti::Unit> unit) override;
+
+    /** Overridden from HILTI driver. */
+    hilti::Result<hilti::Nothing> hookCompilationFinished(const hilti::Plugin& plugin) override;
+
+    /** Overridden from HILTI driver. */
+    void hookInitRuntime() override;
+
+    /** Overridden from HILTI driver. */
+    void hookFinishRuntime() override;
+
+    std::unique_ptr<GlueCompiler> _glue;            // glue compiler in use
+    std::unordered_map<hilti::ID, TypeInfo> _types; // map of Spicy type declarations encountered so far
+    std::vector<TypeInfo> _public_enums;            // tracks Spicy enum types declared public, for automatic export
+    bool _using_build_directory = false;            // true if we're running out of the plugin's build directory
+    bool _need_glue = true;                         // true if glue code has not yet been generated
+};
+
+} // namespace zeek::spicy
diff --git a/src/spicy/spicyz/glue-compiler.cc b/src/spicy/spicyz/glue-compiler.cc
new file mode 100644
index 0000000000..b4efc48dbf
--- /dev/null
+++ b/src/spicy/spicyz/glue-compiler.cc
@@ -0,0 +1,1382 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "glue-compiler.h"
+
+#include <algorithm>
+#include <limits>
+#include <stdexcept>
+
+#include <hilti/ast/all.h>
+#include <hilti/ast/builder/all.h>
+#include <hilti/base/preprocessor.h>
+#include <hilti/base/util.h>
+#include <hilti/compiler/unit.h>
+
+#include <spicy/ast/detail/visitor.h>
+#include <spicy/global.h>
+
+#include "config.h"
+#include "zeek/spicy/port-range.h"
+
+using namespace zeek::spicy;
+
+namespace builder = hilti::builder;
+
+#if SPICY_VERSION_NUMBER >= 10700
+static inline auto _linker_scope() { return hilti::builder::scope(); }
+#else
+static inline auto _linker_scope() { return hilti::builder::call("hilti::linker_scope", {}); }
+#endif
+
+// Small parsing helpers.
+
+using ParseError = std::runtime_error;
+
+static void eat_spaces(const std::string& chunk, size_t* i) {
+    while ( *i < chunk.size() && isspace(chunk[*i]) )
+        ++*i;
+}
+
+static std::string::size_type looking_at(const std::string& chunk, std::string::size_type i,
+                                         const std::string_view& token) {
+    eat_spaces(chunk, &i);
+
+    for ( char j : token ) {
+        if ( i >= chunk.size() || chunk[i++] != j )
+            return 0;
+    }
+
+    return i;
+}
+
+static void eat_token(const std::string& chunk, std::string::size_type* i, const std::string_view& token) {
+    eat_spaces(chunk, i);
+
+    auto j = looking_at(chunk, *i, token);
+
+    if ( ! j )
+        throw ParseError(hilti::util::fmt("expected token '%s'", token));
+
+    *i = j;
+}
+
+static bool is_id_char(const std::string& chunk, size_t i) {
+    char c = chunk[i];
+
+    if ( isalnum(c) )
+        return true;
+
+    if ( strchr("_$%", c) != nullptr )
+        return true;
+
+    char prev = (i > 0) ? chunk[i - 1] : '\0';
+    char next = (i + 1 < chunk.size()) ? chunk[i + 1] : '\0';
+
+    if ( c == ':' && next == ':' )
+        return true;
+
+    if ( c == ':' && prev == ':' )
+        return true;
+
+    return false;
+}
+
+static bool is_path_char(const std::string& chunk, size_t i) {
+    char c = chunk[i];
+    return (! isspace(c)) && c != ';';
+}
+
+static hilti::ID extract_id(const std::string& chunk, size_t* i) {
+    eat_spaces(chunk, i);
+
+    size_t j = *i;
+
+    while ( j < chunk.size() && is_id_char(chunk, j) )
+        ++j;
+
+    if ( *i == j )
+        throw ParseError("expected id");
+
+    auto id = chunk.substr(*i, j - *i);
+    *i = j;
+    return hilti::ID(hilti::util::replace(id, "%", "0x25_"));
+}
+
+static hilti::Type extract_type(const std::string& chunk, size_t* i) {
+    eat_spaces(chunk, i);
+
+    // We currently only parse Spicy types that can appear in parameters of
+    // built-in hooks--which are not many.
+    auto token = extract_id(chunk, i);
+
+    if ( token == hilti::ID("string") )
+        return hilti::type::String();
+
+    if ( token == hilti::ID("uint64") )
+        return hilti::type::UnsignedInteger(64);
+
+    throw ParseError("mismatching type");
+}
+
+static hilti::type::function::Parameter extract_parameter(const std::string& chunk, size_t* i) {
+    eat_spaces(chunk, i);
+
+    auto id = extract_id(chunk, i);
+
+    if ( ! looking_at(chunk, *i, ":") )
+        throw ParseError("expected ':'");
+
+    eat_token(chunk, i, ":");
+
+    auto type = extract_type(chunk, i);
+    return builder::parameter(std::move(id), std::move(type));
+}
+
+static hilti::rt::filesystem::path extract_path(const std::string& chunk, size_t* i) {
+    eat_spaces(chunk, i);
+
+    size_t j = *i;
+
+    while ( j < chunk.size() && is_path_char(chunk, j) )
+        ++j;
+
+    if ( *i == j )
+        throw ParseError("expected path");
+
+    auto path = chunk.substr(*i, j - *i);
+    *i = j;
+    return path;
+}
+
+static int extract_int(const std::string& chunk, size_t* i) {
+    eat_spaces(chunk, i);
+
+    size_t j = *i;
+
+    if ( j < chunk.size() ) {
+        if ( chunk[j] == '-' ) {
+            ++j;
+        }
+        if ( chunk[j] == '+' )
+            ++j;
+    }
+
+    while ( j < chunk.size() && isdigit(chunk[j]) )
+        ++j;
+
+    if ( *i == j )
+        throw ParseError("expected integer");
+
+    auto x = chunk.substr(*i, j - *i);
+    *i = j;
+
+    int integer = 0;
+    hilti::util::atoi_n(x.begin(), x.end(), 10, &integer);
+    return integer;
+}
+
+static std::string extract_expr(const std::string& chunk, size_t* i) {
+    eat_spaces(chunk, i);
+
+    int level = 0;
+    bool done = false;
+    size_t j = *i;
+
+    while ( j < chunk.size() ) {
+        switch ( chunk[j] ) {
+            case '(':
+            case '[':
+            case '{':
+                ++level;
+                ++j;
+                continue;
+
+            case ')':
+                if ( level == 0 ) {
+                    done = true;
+                    break;
+                }
+
+                // fall-through
+
+            case ']':
+            case '}':
+                if ( level == 0 )
+                    throw ParseError("expected Spicy expression");
+
+                --level;
+                ++j;
+                continue;
+
+            case ',':
+                if ( level == 0 ) {
+                    done = true;
+                    break;
+                }
+
+                // fall-through
+
+            default: ++j;
+        }
+
+        if ( done )
+            break;
+
+        if ( *i == j )
+            break;
+    }
+
+    auto expr = hilti::util::trim(chunk.substr(*i, j - *i));
+    *i = j;
+    return expr;
+}
+
+static hilti::rt::Port extract_port(const std::string& chunk, size_t* i) {
+    eat_spaces(chunk, i);
+
+    std::string s;
+    size_t j = *i;
+
+    while ( j < chunk.size() && isdigit(chunk[j]) )
+        ++j;
+
+    if ( *i == j )
+        throw ParseError("cannot parse port specification");
+
+    hilti::rt::Protocol proto;
+    uint64_t port = std::numeric_limits<uint64_t>::max();
+
+    s = chunk.substr(*i, j - *i);
+    hilti::util::atoi_n(s.begin(), s.end(), 10, &port);
+
+    if ( port > 65535 )
+        throw ParseError("port outside of valid range");
+
+    *i = j;
+
+    if ( chunk[*i] != '/' )
+        throw ParseError("cannot parse port specification");
+
+    (*i)++;
+
+    if ( looking_at(chunk, *i, "tcp") ) {
+        proto = hilti::rt::Protocol::TCP;
+        eat_token(chunk, i, "tcp");
+    }
+
+    else if ( looking_at(chunk, *i, "udp") ) {
+        proto = hilti::rt::Protocol::UDP;
+        eat_token(chunk, i, "udp");
+    }
+
+    else if ( looking_at(chunk, *i, "icmp") ) {
+        proto = hilti::rt::Protocol::ICMP;
+        eat_token(chunk, i, "icmp");
+    }
+
+    else
+        throw ParseError("cannot parse port specification");
+
+    return {static_cast<uint16_t>(port), proto};
+}
+
+static ::zeek::spicy::rt::PortRange extract_port_range(const std::string& chunk, size_t* i) {
+    auto start = extract_port(chunk, i);
+    auto end = std::optional<hilti::rt::Port>();
+
+    if ( looking_at(chunk, *i, "-") ) {
+        eat_token(chunk, i, "-");
+        end = extract_port(chunk, i);
+    }
+
+    if ( end ) {
+        if ( start.protocol() != end->protocol() )
+            throw ParseError("start and end of port range must have same protocol");
+
+        if ( start.port() > end->port() )
+            throw ParseError("start of port range cannot be after its end");
+    }
+
+    if ( ! end )
+        // EVT port ranges are a closed interval, but rt are half-closed.
+        end = hilti::rt::Port(start.port() + 1, start.protocol());
+
+    return {start, *end};
+}
+
+void GlueCompiler::Init(Driver* driver, int zeek_version) {
+    _driver = driver;
+    _zeek_version = zeek_version;
+}
+
+GlueCompiler::~GlueCompiler() {}
+
+hilti::Result<std::string> GlueCompiler::getNextEvtBlock(std::istream& in, int* lineno) const {
+    std::string chunk;
+
+    // Parser need to track whether we are inside a string or a comment.
+    enum State { Default, InComment, InString } state = Default;
+    char prev = '\0';
+
+    while ( true ) {
+        char cur;
+        in.get(cur);
+        if ( in.eof() ) {
+            chunk = hilti::util::trim(chunk);
+            if ( chunk.empty() )
+                // Legitimate end of data.
+                return std::string();
+            else
+                // End of input before semicolon.
+                return hilti::result::Error("unexpected end of file");
+        }
+
+        switch ( state ) {
+            case Default:
+                if ( cur == '"' && prev != '\\' )
+                    state = InString;
+
+                if ( cur == '#' && prev != '\\' ) {
+                    state = InComment;
+                    continue;
+                }
+
+                if ( cur == '\n' )
+                    ++*lineno;
+
+                if ( cur == ';' ) {
+                    // End of block found.
+                    chunk = hilti::util::trim(chunk);
+                    if ( chunk.size() )
+                        return chunk + ';';
+                    else
+                        return hilti::result::Error("empty block");
+                }
+
+                break;
+
+            case InString:
+                if ( cur == '"' && prev != '\\' )
+                    state = Default;
+
+                if ( cur == '\n' )
+                    ++*lineno;
+
+                break;
+
+            case InComment:
+                if ( cur != '\n' )
+                    // skip
+                    continue;
+
+                state = Default;
+                ++*lineno;
+        }
+
+        chunk += cur;
+        prev = cur;
+    }
+}
+
+void GlueCompiler::preprocessEvtFile(hilti::rt::filesystem::path& path, std::istream& in, std::ostream& out) {
+    hilti::util::SourceCodePreprocessor pp({{"ZEEK_VERSION", *_zeek_version}});
+    int lineno = 0;
+
+    std::string line;
+    while ( std::getline(in, line) ) {
+        lineno++;
+
+        auto trimmed = hilti::util::trim(line);
+        _locations.emplace_back(path, lineno);
+
+        if ( hilti::util::startsWith(trimmed, "@") ) {
+            // Output empty line to keep line numbers the same
+            out << '\n';
+
+            auto m = hilti::util::split1(trimmed);
+
+            if ( auto rc = pp.processLine(m.first, m.second); ! rc )
+                throw ParseError(rc.error());
+        }
+
+        else {
+            switch ( pp.state() ) {
+                case hilti::util::SourceCodePreprocessor::State::Include: out << line << '\n'; break;
+                case hilti::util::SourceCodePreprocessor::State::Skip:
+                    // Output empty line to keep line numbers the same
+                    out << '\n';
+                    break;
+            }
+        }
+    }
+
+    if ( pp.expectingDirective() )
+        throw ParseError("unterminated preprocessor directive");
+}
+
+bool GlueCompiler::loadEvtFile(hilti::rt::filesystem::path& path) {
+    assert(_zeek_version);
+
+    std::ifstream in(path);
+
+    if ( ! in ) {
+        hilti::logger().error(hilti::util::fmt("cannot open %s", path));
+        return false;
+    }
+
+    SPICY_DEBUG(hilti::util::fmt("Loading events from %s", path));
+
+    std::vector<glue::Event> new_events;
+
+    try {
+        std::stringstream preprocessed;
+        preprocessEvtFile(path, in, preprocessed);
+        preprocessed.clear();
+        preprocessed.seekg(0);
+
+        int lineno = 1;
+
+        while ( true ) {
+            _locations.emplace_back(path, lineno);
+            auto chunk = getNextEvtBlock(preprocessed, &lineno);
+            if ( ! chunk )
+                throw ParseError(chunk.error());
+
+            if ( chunk->empty() )
+                break; // end of input
+
+            _locations.pop_back();
+            _locations.emplace_back(path, lineno);
+
+            if ( looking_at(*chunk, 0, "protocol") ) {
+                auto a = parseProtocolAnalyzer(*chunk);
+                SPICY_DEBUG(hilti::util::fmt("  Got protocol analyzer definition for %s", a.name));
+                _protocol_analyzers.push_back(a);
+            }
+
+            else if ( looking_at(*chunk, 0, "file") ) {
+                auto a = parseFileAnalyzer(*chunk);
+                SPICY_DEBUG(hilti::util::fmt("  Got file analyzer definition for %s", a.name));
+                _file_analyzers.push_back(a);
+            }
+
+            else if ( looking_at(*chunk, 0, "packet") ) {
+                auto a = parsePacketAnalyzer(*chunk);
+                SPICY_DEBUG(hilti::util::fmt("  Got packet analyzer definition for %s", a.name));
+                _packet_analyzers.push_back(a);
+            }
+
+            else if ( looking_at(*chunk, 0, "on") ) {
+                auto ev = parseEvent(*chunk);
+                ev.file = path;
+                new_events.push_back(ev);
+                SPICY_DEBUG(hilti::util::fmt("  Got event definition for %s", ev.name));
+            }
+
+            else if ( looking_at(*chunk, 0, "import") ) {
+                size_t i = 0;
+                eat_token(*chunk, &i, "import");
+
+                hilti::ID module = extract_id(*chunk, &i);
+                std::optional<hilti::ID> scope;
+
+                if ( looking_at(*chunk, i, "from") ) {
+                    eat_token(*chunk, &i, "from");
+                    scope = extract_path(*chunk, &i);
+                    SPICY_DEBUG(hilti::util::fmt("  Got module %s to import from scope %s", module, *scope));
+                }
+                else
+                    SPICY_DEBUG(hilti::util::fmt("  Got module %s to import", module));
+
+                _imports.emplace_back(hilti::ID(module), std::move(scope));
+            }
+
+            else if ( looking_at(*chunk, 0, "export") ) {
+                size_t i = 0;
+                eat_token(*chunk, &i, "export");
+
+                hilti::ID spicy_id = extract_id(*chunk, &i);
+                hilti::ID zeek_id = spicy_id;
+
+                if ( looking_at(*chunk, i, "as") ) {
+                    eat_token(*chunk, &i, "as");
+                    zeek_id = extract_id(*chunk, &i);
+                }
+
+                eat_spaces(*chunk, &i);
+                if ( ! looking_at(*chunk, i, ";") )
+                    throw ParseError("syntax error in export");
+
+                _exports.emplace_back(std::move(spicy_id), std::move(zeek_id), _locations.back());
+            }
+
+            else
+                throw ParseError("expected 'import', 'export', '{file,packet,protocol} analyzer', or 'on'");
+
+            _locations.pop_back();
+        }
+    } catch ( const ParseError& e ) {
+        if ( *e.what() )
+            hilti::logger().error(e.what(), _locations.back());
+
+        return false;
+    }
+
+    for ( auto&& ev : new_events )
+        _events.push_back(ev);
+
+    return true;
+}
+
+void GlueCompiler::addSpicyModule(const hilti::ID& id, const hilti::rt::filesystem::path& file) {
+    glue::SpicyModule module;
+    module.id = id;
+    module.file = file;
+    _spicy_modules[id] = std::make_shared<glue::SpicyModule>(std::move(module));
+}
+
+glue::ProtocolAnalyzer GlueCompiler::parseProtocolAnalyzer(const std::string& chunk) {
+    glue::ProtocolAnalyzer a;
+    a.location = _locations.back();
+
+    size_t i = 0;
+
+    eat_token(chunk, &i, "protocol");
+    eat_token(chunk, &i, "analyzer");
+    a.name = extract_id(chunk, &i).str();
+
+    eat_token(chunk, &i, "over");
+
+    auto proto = hilti::util::tolower(extract_id(chunk, &i).str());
+
+    if ( proto == "tcp" )
+        a.protocol = hilti::rt::Protocol::TCP;
+
+    else if ( proto == "udp" )
+        a.protocol = hilti::rt::Protocol::UDP;
+
+    else if ( proto == "icmp" )
+        a.protocol = hilti::rt::Protocol::ICMP;
+
+    else
+        throw ParseError(hilti::util::fmt("unknown transport protocol '%s'", proto));
+
+    eat_token(chunk, &i, ":");
+
+    enum { orig, resp, both } dir;
+
+    while ( true ) {
+        if ( looking_at(chunk, i, "parse") ) {
+            eat_token(chunk, &i, "parse");
+
+            if ( looking_at(chunk, i, "originator") ) {
+                eat_token(chunk, &i, "originator");
+                dir = orig;
+            }
+
+            else if ( looking_at(chunk, i, "responder") ) {
+                eat_token(chunk, &i, "responder");
+                dir = resp;
+            }
+
+            else if ( looking_at(chunk, i, "with") )
+                dir = both;
+
+            else
+                throw ParseError("invalid \"parse with ...\" specification");
+
+            eat_token(chunk, &i, "with");
+            auto unit = extract_id(chunk, &i);
+
+            switch ( dir ) {
+                case orig: a.unit_name_orig = unit; break;
+
+                case resp: a.unit_name_resp = unit; break;
+
+                case both:
+                    a.unit_name_orig = unit;
+                    a.unit_name_resp = unit;
+                    break;
+            }
+        }
+
+        else if ( looking_at(chunk, i, "ports") ) {
+            eat_token(chunk, &i, "ports");
+            eat_token(chunk, &i, "{");
+
+            while ( true ) {
+                a.ports.push_back(extract_port_range(chunk, &i));
+
+                if ( looking_at(chunk, i, "}") ) {
+                    eat_token(chunk, &i, "}");
+                    break;
+                }
+
+                eat_token(chunk, &i, ",");
+            }
+        }
+
+        else if ( looking_at(chunk, i, "port") ) {
+            eat_token(chunk, &i, "port");
+            a.ports.push_back(extract_port_range(chunk, &i));
+        }
+
+        else if ( looking_at(chunk, i, "replaces") ) {
+            eat_token(chunk, &i, "replaces");
+            a.replaces = extract_id(chunk, &i);
+        }
+
+        else
+            throw ParseError("unexpected token");
+
+        if ( looking_at(chunk, i, ";") )
+            break; // All done.
+
+        eat_token(chunk, &i, ",");
+    }
+
+    return a;
+}
+
+glue::FileAnalyzer GlueCompiler::parseFileAnalyzer(const std::string& chunk) {
+    glue::FileAnalyzer a;
+    a.location = _locations.back();
+
+    size_t i = 0;
+
+    eat_token(chunk, &i, "file");
+    eat_token(chunk, &i, "analyzer");
+    a.name = extract_id(chunk, &i).str();
+
+    eat_token(chunk, &i, ":");
+
+    while ( true ) {
+        if ( looking_at(chunk, i, "parse") ) {
+            eat_token(chunk, &i, "parse");
+            eat_token(chunk, &i, "with");
+            a.unit_name = extract_id(chunk, &i);
+        }
+
+        else if ( looking_at(chunk, i, "mime-type") ) {
+            eat_token(chunk, &i, "mime-type");
+            auto mtype = extract_path(chunk, &i);
+            a.mime_types.push_back(mtype.string());
+        }
+
+        else if ( looking_at(chunk, i, "replaces") ) {
+            eat_token(chunk, &i, "replaces");
+            a.replaces = extract_id(chunk, &i);
+        }
+
+        else
+            throw ParseError("unexpected token");
+
+        if ( looking_at(chunk, i, ";") )
+            break; // All done.
+
+        eat_token(chunk, &i, ",");
+    }
+
+    return a;
+}
+
+glue::PacketAnalyzer GlueCompiler::parsePacketAnalyzer(const std::string& chunk) {
+    glue::PacketAnalyzer a;
+    a.location = _locations.back();
+
+    size_t i = 0;
+
+    eat_token(chunk, &i, "packet");
+    eat_token(chunk, &i, "analyzer");
+    a.name = extract_id(chunk, &i).str();
+
+    eat_token(chunk, &i, ":");
+
+    while ( true ) {
+        if ( looking_at(chunk, i, "parse") ) {
+            eat_token(chunk, &i, "parse");
+            eat_token(chunk, &i, "with");
+            a.unit_name = extract_id(chunk, &i);
+        }
+
+        else if ( looking_at(chunk, i, "replaces") ) {
+            eat_token(chunk, &i, "replaces");
+            a.replaces = extract_id(chunk, &i);
+        }
+
+        else
+            throw ParseError("unexpected token");
+
+        if ( looking_at(chunk, i, ";") )
+            break; // All done.
+
+        eat_token(chunk, &i, ",");
+    }
+
+    return a;
+}
+
+glue::Event GlueCompiler::parseEvent(const std::string& chunk) {
+    glue::Event ev;
+    ev.location = _locations.back();
+
+    // We use a quite negative hook priority here to make sure these run last
+    // after anything the grammar defines by default.
+    ev.priority = -1000;
+
+    size_t i = 0;
+
+    eat_token(chunk, &i, "on");
+    ev.path = extract_id(chunk, &i);
+
+    if ( looking_at(chunk, i, "(") ) {
+        eat_token(chunk, &i, "(");
+
+        if ( ! looking_at(chunk, i, ")") ) {
+            while ( true ) {
+                auto param = extract_parameter(chunk, &i);
+                ev.parameters.push_back(std::move(param));
+
+                if ( looking_at(chunk, i, ")") )
+                    break;
+
+                eat_token(chunk, &i, ",");
+            }
+        }
+
+        eat_token(chunk, &i, ")");
+    }
+
+    if ( looking_at(chunk, i, "if") ) {
+        eat_token(chunk, &i, "if");
+        eat_token(chunk, &i, "(");
+
+        ev.condition = extract_expr(chunk, &i);
+        eat_token(chunk, &i, ")");
+    }
+
+    eat_token(chunk, &i, "->");
+    eat_token(chunk, &i, "event");
+    ev.name = extract_id(chunk, &i);
+
+    eat_token(chunk, &i, "(");
+
+    bool first = true;
+    size_t j = 0;
+
+    while ( true ) {
+        j = looking_at(chunk, i, ")");
+
+        if ( j ) {
+            i = j;
+            break;
+        }
+
+        if ( ! first )
+            eat_token(chunk, &i, ",");
+
+        auto expr = extract_expr(chunk, &i);
+        ev.exprs.push_back(expr);
+        first = false;
+    }
+
+    if ( looking_at(chunk, i, "&priority") ) {
+        eat_token(chunk, &i, "&priority");
+        eat_token(chunk, &i, "=");
+        ev.priority = extract_int(chunk, &i);
+    }
+
+    eat_token(chunk, &i, ";");
+    eat_spaces(chunk, &i);
+
+    if ( i < chunk.size() )
+        // This shouldn't actually be possible ...
+        throw ParseError("unexpected characters at end of line");
+
+    return ev;
+}
+
+bool GlueCompiler::compile() {
+    assert(_driver);
+
+    auto init_module = hilti::Module(hilti::ID("spicy_init"));
+
+    auto import_ = hilti::builder::import(hilti::ID("zeek_rt"), ".hlt");
+    init_module.add(std::move(import_));
+
+    import_ = hilti::builder::import(hilti::ID("hilti"), ".hlt");
+    init_module.add(std::move(import_));
+
+    auto preinit_body = hilti::builder::Builder(_driver->context());
+
+    for ( auto&& [id, m] : _spicy_modules )
+        m->spicy_module = hilti::Module(hilti::ID(hilti::util::fmt("spicy_hooks_%s", id)));
+
+    if ( ! PopulateEvents() )
+        return false;
+
+    for ( auto& a : _protocol_analyzers ) {
+        SPICY_DEBUG(hilti::util::fmt("Adding protocol analyzer '%s'", a.name));
+
+        if ( a.unit_name_orig ) {
+            if ( auto ui = _driver->lookupType<::spicy::type::Unit>(a.unit_name_orig) )
+                a.unit_orig = *ui;
+            else {
+                hilti::logger().error(hilti::util::fmt("error with protocol analyzer %s: %s", a.name, ui.error()));
+                return false;
+            }
+        }
+
+        if ( a.unit_name_resp ) {
+            if ( auto ui = _driver->lookupType<::spicy::type::Unit>(a.unit_name_resp) )
+                a.unit_resp = *ui;
+            else {
+                hilti::logger().error(hilti::util::fmt("error with protocol analyzer %s: %s", a.name, ui.error()));
+                return false;
+            }
+        }
+
+#if SPICY_VERSION_NUMBER >= 10700
+        auto proto = a.protocol.value();
+#else
+        auto proto = a.protocol;
+#endif
+
+        hilti::ID protocol;
+        switch ( proto ) {
+            case hilti::rt::Protocol::TCP: protocol = hilti::ID("hilti::Protocol::TCP"); break;
+            case hilti::rt::Protocol::UDP: protocol = hilti::ID("hilti::Protocol::UDP"); break;
+            default: hilti::logger().internalError("unexpected protocol");
+        }
+
+        preinit_body.addCall(
+            "zeek_rt::register_protocol_analyzer",
+            {builder::string(a.name), builder::id(protocol),
+             builder::vector(hilti::util::transform(
+                 a.ports,
+                 [](const auto& p) {
+                     return builder::call("zeek_rt::make_port_range", {builder::port(p.begin), builder::port(p.end)});
+                 })),
+             builder::string(a.unit_name_orig), builder::string(a.unit_name_resp), builder::string(a.replaces),
+             _linker_scope()});
+    }
+
+    for ( auto& a : _file_analyzers ) {
+        SPICY_DEBUG(hilti::util::fmt("Adding file analyzer '%s'", a.name));
+
+        if ( a.unit_name ) {
+            if ( auto ui = _driver->lookupType<::spicy::type::Unit>(a.unit_name) )
+                a.unit = *ui;
+            else {
+                hilti::logger().error(hilti::util::fmt("error with file analyzer %s: %s", a.name, ui.error()));
+                return false;
+            }
+        }
+
+        preinit_body.addCall("zeek_rt::register_file_analyzer",
+                             {builder::string(a.name),
+                              builder::vector(
+                                  hilti::util::transform(a.mime_types, [](auto m) { return builder::string(m); })),
+                              builder::string(a.unit_name), builder::string(a.replaces), _linker_scope()});
+    }
+
+    for ( auto& a : _packet_analyzers ) {
+        SPICY_DEBUG(hilti::util::fmt("Adding packet analyzer '%s'", a.name));
+
+        if ( a.unit_name ) {
+            if ( auto ui = _driver->lookupType<::spicy::type::Unit>(a.unit_name) )
+                a.unit = *ui;
+            else {
+                hilti::logger().error(hilti::util::fmt("error with packet analyzer %s: %s", a.name, ui.error()));
+                return false;
+            }
+        }
+
+        preinit_body.addCall("zeek_rt::register_packet_analyzer",
+                             {builder::string(a.name), builder::string(a.unit_name), builder::string(a.replaces),
+                              _linker_scope()});
+    }
+
+    // Create the Spicy hooks and accessor functions.
+    for ( auto&& ev : _events ) {
+        if ( ! CreateSpicyHook(&ev) )
+            return false;
+    }
+
+    // Register our Zeek events at pre-init time.
+    for ( auto&& ev : _events )
+        preinit_body.addCall("zeek_rt::install_handler", {builder::string(ev.name)});
+
+    // Create Zeek types for exported Spicy types.
+    for ( const auto& [tinfo, id] : _driver->exportedTypes() ) {
+        if ( auto type = createZeekType(tinfo.type, id) )
+            preinit_body.addCall("zeek_rt::register_type",
+                                 {builder::string(id.namespace_()), builder::string(id.local()), *type});
+        else
+            hilti::logger().error(hilti::util::fmt("cannot export Spicy type '%s': %s", id, type.error()),
+                                  tinfo.location);
+    }
+
+    for ( auto&& [id, m] : _spicy_modules ) {
+        // Import runtime module.
+        auto import_ = hilti::builder::import(hilti::ID("zeek_rt"), ".hlt");
+        m->spicy_module->add(std::move(import_));
+
+        // Create a vector of unique parent paths from all EVTs files going into this module.
+        auto search_dirs = hilti::util::transform(m->evts, [](auto p) { return p.parent_path(); });
+        auto search_dirs_vec = std::vector<hilti::rt::filesystem::path>(search_dirs.begin(), search_dirs.end());
+
+        // Import any dependencies.
+        for ( const auto& [module, scope] : _imports ) {
+            auto import_ = hilti::declaration::ImportedModule(module, std::string(".spicy"), scope, search_dirs_vec);
+            m->spicy_module->add(std::move(import_));
+        }
+
+        auto unit = hilti::Unit::fromModule(_driver->context(), *m->spicy_module, ".spicy");
+        _driver->addInput(unit);
+    }
+
+    if ( ! preinit_body.empty() ) {
+        auto preinit_function =
+            hilti::builder::function("zeek_preinit", hilti::type::void_, {}, preinit_body.block(),
+                                     hilti::type::function::Flavor::Standard, hilti::declaration::Linkage::PreInit);
+        init_module.add(std::move(preinit_function));
+    }
+
+    auto unit = hilti::Unit::fromModule(_driver->context(), init_module, ".hlt");
+    _driver->addInput(unit);
+    return true;
+}
+
+bool GlueCompiler::PopulateEvents() {
+    for ( auto& ev : _events ) {
+        if ( ev.unit_type )
+            // Already done.
+            continue;
+
+        TypeInfo uinfo;
+
+        // If we find the path itself, it's referring to a unit type directly;
+        // then add a "%done" to form the hook name.
+        if ( auto ui = _driver->lookupType<::spicy::type::Unit>(ev.path) ) {
+            // TODO: Check that it's a unit type.
+            uinfo = *ui;
+            ev.unit = ev.path;
+            ev.hook = ev.unit + hilti::ID("0x25_done");
+        }
+
+        else {
+            // Strip the last element of the path, the remainder must refer
+            // to a unit now.
+            ev.unit = ev.path.namespace_();
+            if ( ! ev.unit ) {
+                hilti::logger().error(hilti::util::fmt("unit type missing in hook '%s'", ev.path));
+                return false;
+            }
+
+            if ( auto ui = _driver->lookupType(ev.unit) ) {
+                uinfo = *ui;
+                ev.hook = ev.path;
+            }
+            else {
+                hilti::logger().error(hilti::util::fmt("unknown unit type '%s'", ev.unit));
+                return false;
+            }
+        }
+
+        ev.unit_type = uinfo.type.as<::spicy::type::Unit>();
+        ev.unit_module_id = uinfo.module_id;
+        ev.unit_module_path = uinfo.module_path;
+
+        if ( auto i = _spicy_modules.find(uinfo.module_id); i != _spicy_modules.end() ) {
+            ev.spicy_module = i->second;
+            i->second->evts.insert(ev.file);
+        }
+        else
+            hilti::logger().internalError(
+                hilti::util::fmt("module %s not known in Spicy module list", uinfo.module_id));
+
+        // Create accessor expression for event parameters.
+        int nr = 0;
+
+        for ( const auto& e : ev.exprs ) {
+            glue::ExpressionAccessor acc;
+            acc.nr = ++nr;
+            acc.expression = e;
+            acc.location = ev.location;
+            // acc.dollar_id = util::startsWith(e, "$");
+            ev.expression_accessors.push_back(acc);
+        }
+    }
+
+    return true;
+}
+
+#include <hilti/ast/operators/struct.h>
+
+#include <spicy/ast/detail/visitor.h>
+
+// Helper visitor to wrap expressions using the the TryMember operator into a
+// "deferred" expression.
+class WrapTryMemberVisitor : public hilti::visitor::PostOrder<void, WrapTryMemberVisitor> {
+public:
+    WrapTryMemberVisitor(bool catch_exception) : _catch_exception(catch_exception) {}
+
+    void operator()(const hilti::expression::UnresolvedOperator& n, position_t p) {
+        if ( n.kind() == hilti::operator_::Kind::TryMember )
+            p.node = hilti::expression::Deferred(hilti::Expression(n), _catch_exception);
+    }
+
+private:
+    bool _catch_exception;
+};
+
+static hilti::Result<hilti::Expression> _parseArgument(const std::string& expression, bool catch_exception,
+                                                       const hilti::Meta& meta) {
+    auto expr = spicy::parseExpression(expression, meta);
+    if ( ! expr )
+        return hilti::result::Error(hilti::util::fmt("error parsing event argument expression '%s'", expression));
+
+    // If the expression uses the ".?" operator, we need to defer evaluation
+    // so that we can handle potential exceptions at runtime.
+    auto v = WrapTryMemberVisitor(catch_exception);
+    auto n = hilti::Node(*expr);
+    for ( auto i : v.walk(&n) )
+        v.dispatch(i);
+
+    return n.as<hilti::Expression>();
+}
+
+bool GlueCompiler::CreateSpicyHook(glue::Event* ev) {
+    auto mangled_event_name =
+        hilti::util::fmt("%s_%p", hilti::util::replace(ev->name.str(), "::", "_"), std::hash<glue::Event>()(*ev));
+    auto meta = hilti::Meta(ev->location);
+
+    // Find the Spicy module that this event belongs to.
+    SPICY_DEBUG(hilti::util::fmt("Adding Spicy hook '%s' for event %s", ev->hook, ev->name));
+
+    auto import_ = hilti::declaration::ImportedModule(ev->unit_module_id, ev->unit_module_path);
+    ev->spicy_module->spicy_module->add(std::move(import_));
+
+    // Define Zeek-side event handler.
+    auto handler_id = hilti::ID(hilti::util::fmt("__zeek_handler_%s", mangled_event_name));
+    auto handler = builder::global(handler_id, builder::call("zeek_rt::internal_handler", {builder::string(ev->name)}),
+                                   hilti::declaration::Linkage::Private, meta);
+    ev->spicy_module->spicy_module->add(std::move(handler));
+
+    // Create the hook body that raises the event.
+    auto body = hilti::builder::Builder(_driver->context());
+
+#if SPICY_VERSION_NUMBER >= 10800
+    body.startProfiler(hilti::util::fmt("zeek/event/%s", ev->name));
+#endif
+
+    // If the event comes with a condition, evaluate that first.
+    if ( ev->condition.size() ) {
+        auto cond = ::spicy::parseExpression(ev->condition, meta);
+        if ( ! cond ) {
+            hilti::logger().error(hilti::util::fmt("error parsing conditional expression '%s'", ev->condition));
+            return false;
+        }
+
+        auto exit_ = body.addIf(builder::not_(*cond), meta);
+        exit_->addReturn(meta);
+    }
+
+    // Log event in debug code. Note: We cannot log the Zeek-side version
+    // (i.e., Vals with their types) because we wouldn't be able to determine
+    // those for events that don't have a handler (or at least a prototype)
+    // defined because we use the existing type definition to determine what
+    // Zeek type to convert an Spicy type into. However, we wouldn't want
+    // limit logging to events with handlers.
+    if ( _driver->hiltiOptions().debug ) {
+        std::vector<hilti::Expression> fmt_args = {builder::string(ev->name)};
+
+        for ( const auto&& [i, e] : hilti::util::enumerate(ev->expression_accessors) ) {
+            if ( hilti::util::startsWith(e.expression, "$") ) {
+                fmt_args.emplace_back(builder::string(e.expression));
+                continue;
+            }
+
+            if ( auto expr = _parseArgument(e.expression, true, meta) )
+                fmt_args.emplace_back(std::move(*expr));
+            else
+                // We'll catch and report this below.
+                fmt_args.emplace_back(builder::string("<error>"));
+        }
+
+        std::vector<std::string> fmt_ctrls(fmt_args.size() - 1, "%s");
+        auto fmt_str = hilti::util::fmt("-> event %%s(%s)", hilti::util::join(fmt_ctrls, ", "));
+        auto msg = builder::modulo(builder::string(fmt_str), builder::tuple(fmt_args));
+        auto call = builder::call("zeek_rt::debug", {std::move(msg)});
+        body.addExpression(call);
+    }
+
+    auto handler_expr = builder::id(handler_id);
+
+    if ( _driver->hiltiOptions().cxx_enable_dynamic_globals ) {
+        // Store reference to handler locally to avoid repeated lookups through globals store.
+        body.addLocal("handler", builder::id(handler_id), meta);
+        handler_expr = builder::id("handler");
+    }
+
+    // Nothing to do if there's not handler defined.
+    auto have_handler = builder::call("zeek_rt::have_handler", {handler_expr}, meta);
+    auto exit_ = body.addIf(builder::not_(have_handler), meta);
+    exit_->addReturn(meta);
+
+    // Build event's argument vector.
+    body.addLocal(hilti::ID("args"), hilti::type::Vector(builder::typeByID("zeek_rt::Val"), meta), meta);
+    body.addMemberCall(builder::id("args"), "reserve",
+                       {builder::integer(static_cast<uint64_t>(ev->expression_accessors.size()))}, meta);
+
+    int i = 0;
+    for ( const auto& e : ev->expression_accessors ) {
+        hilti::Expression val;
+
+        if ( e.expression == "$conn" )
+            val = builder::call("zeek_rt::current_conn", {}, meta);
+        else if ( e.expression == "$file" )
+            val = builder::call("zeek_rt::current_file", {}, meta);
+        else if ( e.expression == "$packet" )
+            val = builder::call("zeek_rt::current_packet", {}, meta);
+        else if ( e.expression == "$is_orig" )
+            val = builder::call("zeek_rt::current_is_orig", {}, meta);
+        else {
+            if ( hilti::util::startsWith(e.expression, "$") ) {
+                hilti::logger().error(hilti::util::fmt("unknown reserved parameter '%s'", e.expression));
+                return false;
+            }
+
+            auto expr = _parseArgument(e.expression, false, meta);
+            if ( ! expr ) {
+                hilti::logger().error(expr.error());
+                return false;
+            }
+
+            auto ztype = builder::call("zeek_rt::event_arg_type", {handler_expr, builder::integer(i)}, meta);
+            val = builder::call("zeek_rt::to_val", {std::move(*expr), ztype}, meta);
+        }
+
+        body.addMemberCall(builder::id("args"), "push_back", {val}, meta);
+        i++;
+    }
+
+    body.addCall("zeek_rt::raise_event", {handler_expr, builder::move(builder::id("args"))}, meta);
+
+    auto attrs = hilti::AttributeSet({hilti::Attribute("&priority", builder::integer(ev->priority))});
+    auto unit_hook = ::spicy::Hook(ev->parameters, body.block(), ::spicy::Engine::All, {}, meta);
+    auto hook_decl = ::spicy::declaration::UnitHook(ev->hook, unit_hook, meta);
+    ev->spicy_module->spicy_module->add(hilti::Declaration(hook_decl));
+
+    return true;
+}
+
+namespace {
+// Visitor creasting code to instantiate a Zeek type corresponding to a give
+// HILTI type.
+//
+// Note: Any logic changes here must be reflected in the plugin driver's
+// corresponding `VisitorZeekType` as well.
+struct VisitorZeekType : hilti::visitor::PreOrder<hilti::Result<hilti::Expression>, VisitorZeekType> {
+    VisitorZeekType(const GlueCompiler* gc) : gc(gc) {}
+
+    const GlueCompiler* gc;
+
+    std::set<hilti::ID> zeek_types;
+    std::vector<std::optional<hilti::ID>> ids = {};
+
+    // Returns current ID, if any.
+    auto id() const { return ids.empty() ? std::nullopt : ids.back(); }
+
+    // Returns namespace of top-level ID, if any.
+    auto namespace_() const {
+        return (! ids.empty() && ids.front().has_value()) ? ids.front()->namespace_() : hilti::ID();
+    }
+
+    result_t base_type(const char* tag) { return builder::call("zeek_rt::create_base_type", {builder::id(tag)}); }
+
+    result_t createZeekType(const hilti::Type& t, const std::optional<hilti::ID>& id_ = {}) {
+        if ( id_ )
+            ids.push_back(id_);
+        else if ( auto x = t.typeID() )
+            ids.push_back(*x);
+        else
+            ids.push_back(std::nullopt);
+
+        if ( id() ) {
+            // Avoid infinite recursion.
+            if ( zeek_types.count(*id()) )
+                return hilti::result::Error("type is self-recursive");
+
+            zeek_types.insert(*id());
+        }
+
+        auto x = dispatch(t);
+        if ( ! x )
+            return hilti::result::Error(
+                hilti::util::fmt("no support for automatic conversion into a Zeek type (%s)", t.typename_()));
+
+        if ( id() )
+            zeek_types.erase(*id());
+
+        ids.pop_back();
+
+        return *x;
+    }
+
+    result_t operator()(const hilti::type::Address& t) { return base_type("zeek_rt::ZeekTypeTag::Addr"); }
+    result_t operator()(const hilti::type::Bool& t) { return base_type("zeek_rt::ZeekTypeTag::Bool"); }
+    result_t operator()(const hilti::type::Bytes& t) { return base_type("zeek_rt::ZeekTypeTag::String"); }
+    result_t operator()(const hilti::type::Interval& t) { return base_type("zeek_rt::ZeekTypeTag::Interval"); }
+    result_t operator()(const hilti::type::Port& t) { return base_type("zeek_rt::ZeekTypeTag::Port"); }
+    result_t operator()(const hilti::type::Real& t) { return base_type("zeek_rt::ZeekTypeTag::Double"); }
+    result_t operator()(const hilti::type::SignedInteger& t) { return base_type("zeek_rt::ZeekTypeTag::Int"); }
+    result_t operator()(const hilti::type::String& t) { return base_type("zeek_rt::ZeekTypeTag::String"); }
+    result_t operator()(const hilti::type::Time& t) { return base_type("zeek_rt::ZeekTypeTag::Time"); }
+    result_t operator()(const hilti::type::UnsignedInteger& t) { return base_type("zeek_rt::ZeekTypeTag::Count"); }
+
+    result_t operator()(const hilti::type::Enum& t) {
+        assert(id());
+
+        auto labels = hilti::rt::transform(t.labels(), [](const auto& l) {
+            return builder::tuple({builder::string(l.get().id()), builder::integer(l.get().value())});
+        });
+
+        return builder::call("zeek_rt::create_enum_type", {builder::string(id()->namespace_()),
+                                                           builder::string(id()->local()), builder::vector(labels)});
+    }
+
+    result_t operator()(const hilti::type::Map& t) {
+        auto key = createZeekType(t.keyType());
+        if ( ! key )
+            return key.error();
+
+        auto value = createZeekType(t.valueType());
+        if ( ! value )
+            return value.error();
+
+        return builder::call("zeek_rt::create_table_type", {*key, *value});
+    }
+
+    result_t operator()(const hilti::type::Optional& t) { return createZeekType(t.dereferencedType()); }
+
+    result_t operator()(const hilti::type::Set& t) {
+        auto elem = createZeekType(t.elementType());
+        if ( ! elem )
+            return elem.error();
+
+        return builder::call("zeek_rt::create_table_type", {*elem, builder::null()});
+    }
+
+    result_t operator()(const hilti::type::Struct& t) {
+        assert(id());
+
+        std::vector<hilti::Expression> fields;
+        for ( const auto& f : t.fields() ) {
+            auto ztype = createZeekType(f.type());
+            if ( ! ztype )
+                return ztype.error();
+
+            fields.emplace_back(builder::tuple({builder::string(f.id()), *ztype, builder::bool_(f.isOptional())}));
+        }
+
+        return builder::call("zeek_rt::create_record_type", {builder::string(id()->namespace_()),
+                                                             builder::string(id()->local()), builder::vector(fields)});
+    }
+
+    result_t operator()(const hilti::type::Tuple& t) {
+        std::vector<hilti::Expression> fields;
+        for ( const auto& f : t.elements() ) {
+            if ( ! f.id() )
+                return hilti::result::Error("can only convert tuple types with all-named fields to Zeek");
+
+            auto ztype = createZeekType(f.type());
+            if ( ! ztype )
+                return ztype.error();
+
+            fields.emplace_back(builder::tuple({builder::string(*f.id()), *ztype, builder::bool_(false)}));
+        }
+
+        hilti::ID local;
+        hilti::ID ns;
+
+        if ( auto id_ = id() ) {
+            local = id_->local();
+            ns = id_->namespace_();
+        }
+        else {
+            // Invent a (hopefully unique) name for the Zeek-side record type
+            // so that we can handle anonymous tuple types.
+            static uint64_t i = 0;
+            local = hilti::util::
+                fmt("__spicy_tuple_%u"
+                    "_%" PRIu64,
+                    static_cast<unsigned int>(getpid()), ++i);
+            ns = namespace_();
+        }
+
+        return builder::call("zeek_rt::create_record_type",
+                             {builder::string(ns), builder::string(local), builder::vector(fields)});
+    }
+
+    result_t operator()(const ::spicy::type::Unit& t) {
+        assert(id());
+
+        std::vector<hilti::Expression> fields;
+        for ( const auto& f : gc->recordFields(t) ) {
+            auto ztype = createZeekType(std::get<1>(f));
+            if ( ! ztype )
+                return ztype.error();
+
+            fields.emplace_back(
+                builder::tuple({builder::string(std::get<0>(f)), *ztype, builder::bool_(std::get<2>(f))}));
+        }
+
+        return builder::call("zeek_rt::create_record_type", {builder::string(id()->namespace_()),
+                                                             builder::string(id()->local()), builder::vector(fields)});
+    }
+
+    result_t operator()(const hilti::type::Vector& t) {
+        auto elem = createZeekType(t.elementType());
+        if ( ! elem )
+            return elem.error();
+
+        return builder::call("zeek_rt::create_vector_type", {*elem});
+    }
+};
+} // namespace
+
+hilti::Result<hilti::Expression> GlueCompiler::createZeekType(const hilti::Type& t, const hilti::ID& id) const {
+    auto v = VisitorZeekType(this);
+    return v.createZeekType(t, id);
+}
+
+namespace {
+struct VisitorUnitFields : hilti::visitor::PreOrder<void, VisitorUnitFields> {
+    // NOTE: Align this logic with struct generation in Spicy's unit builder.
+    std::vector<GlueCompiler::RecordField> fields;
+
+    void operator()(const ::spicy::type::unit::item::Field& f, position_t p) {
+        if ( f.isTransient() || f.parseType().isA<hilti::type::Void>() )
+            return;
+
+        fields.emplace_back(f.id(), f.itemType(), true);
+    }
+
+    void operator()(const ::spicy::type::unit::item::Variable& f, const position_t p) {
+        fields.emplace_back(f.id(), f.itemType(), f.isOptional());
+    }
+
+    // TODO: void operator()(const ::spicy::type::unit::item::Switch & f, const position_t p) {
+};
+} // namespace
+
+std::vector<GlueCompiler::RecordField> GlueCompiler::recordFields(const ::spicy::type::Unit& unit) {
+    VisitorUnitFields unit_field_converter;
+
+    for ( const auto& i : unit.items() )
+        unit_field_converter.dispatch(i);
+
+    return std::move(unit_field_converter.fields);
+}
diff --git a/src/spicy/spicyz/glue-compiler.h b/src/spicy/spicyz/glue-compiler.h
new file mode 100644
index 0000000000..b6c3631f87
--- /dev/null
+++ b/src/spicy/spicyz/glue-compiler.h
@@ -0,0 +1,243 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include <map>
+#include <memory>
+#include <set>
+#include <string>
+#include <tuple>
+#include <utility>
+#include <vector>
+
+#include <hilti/rt/filesystem.h>
+#include <hilti/rt/types/port.h>
+#include <hilti/rt/util.h>
+
+#include <spicy/rt/mime.h>
+
+#include <hilti/ast/declarations/function.h>
+#include <hilti/ast/expression.h>
+#include <hilti/ast/module.h>
+#include <hilti/ast/type.h>
+#include <hilti/compiler/context.h>
+#include <hilti/compiler/driver.h>
+
+#include <spicy/ast/declarations/unit-hook.h>
+#include <spicy/ast/types/unit.h>
+
+#include "driver.h"
+#include "zeek/spicy/port-range.h"
+
+namespace spicy::rt {
+struct Parser;
+}
+
+namespace zeek::spicy {
+
+namespace glue {
+
+/** Representation of a Spicy protocol analyzer, parsed from an EVT file. */
+struct ProtocolAnalyzer {
+    // Information parsed directly from the *.evt file.
+    hilti::Location location;                                  /**< Location where the analyzer was defined. */
+    hilti::ID name;                                            /**< Name of the analyzer. */
+    hilti::rt::Protocol protocol = hilti::rt::Protocol::Undef; /**< The transport layer the analyzer uses. */
+    std::vector<::zeek::spicy::rt::PortRange> ports;           /**< The ports associated with the analyzer. */
+    hilti::ID unit_name_orig; /**< The fully-qualified name of the unit type to parse the originator
+                                 side. */
+    hilti::ID unit_name_resp; /**< The fully-qualified name of the unit type to parse the originator
+                                 side. */
+    std::string replaces;     /**< Name of another analyzer this one replaces. */
+
+    // Computed information.
+    std::optional<TypeInfo> unit_orig; /**< The type of the unit to parse the originator side. */
+    std::optional<TypeInfo> unit_resp; /**< The type of the unit to parse the originator side. */
+};
+
+/** Representation of a Spicy file analyzer, parsed from an EVT file. */
+struct FileAnalyzer {
+    // Information parsed directly from the *.evt file.
+    hilti::Location location;            /**< Location where the analyzer was defined. */
+    hilti::ID name;                      /**< Name of the analyzer. */
+    std::vector<std::string> mime_types; /**< The mime_types associated with the analyzer. */
+    hilti::ID unit_name;                 /**< The fully-qualified name of the unit type to parse with. */
+    std::string replaces;                /**< Name of another analyzer this one replaces. */
+
+    // Computed information.
+    std::optional<TypeInfo> unit; /**< The type of the unit to parse the originator side. */
+};
+
+/** Representation of a Spicy packet analyzer, parsed from an EVT file. */
+struct PacketAnalyzer {
+    // Information parsed directly from the *.evt file.
+    hilti::Location location; /**< Location where the analyzer was defined. */
+    hilti::ID name;           /**< Name of the analyzer. */
+    hilti::ID unit_name;      /**< The fully-qualified name of the unit type to parse with. */
+    std::string replaces;     /**< Name of another analyzer this one replaces. */
+
+    // Computed information.
+    std::optional<TypeInfo> unit; /**< The type of the unit to parse the originator side. */
+};
+
+/**
+ * Representation of an expression computing the value of a parameter passed
+ * to Spicy-generated events.
+ */
+struct ExpressionAccessor {
+    // Information parsed directly from the *.evt file.
+    int nr;                   /**< Position of this expression in argument list. */
+    std::string expression;   /**< The original string representation of the expression. */
+    hilti::Location location; /**< Location where the expression was defined. */
+};
+
+/** Representation of a compiled Spicy module. */
+struct SpicyModule {
+    // Provided.
+    hilti::ID id;                               /**< Name of the module */
+    hilti::rt::filesystem::path file;           /**< The path the module was read from. */
+    std::set<hilti::rt::filesystem::path> evts; /**< EVT files that refer to this module. */
+
+    // Generated code.
+    std::optional<hilti::Module> spicy_module; /**< the ``BroHooks_*.spicy`` module. */
+};
+
+/** Representation of an event parsed from an EVT file. */
+struct Event {
+    // Information parsed directly from the *.evt file.
+    hilti::rt::filesystem::path file;                         /**< The path of the *.evt file we parsed this from. */
+    hilti::ID name;                                           /**< The name of the event. */
+    hilti::ID path;                                           /**< The hook path as specified in the evt file. */
+    std::vector<hilti::type::function::Parameter> parameters; /**< Event parameters specified in the evt file. */
+    std::string condition;          /**< Condition that must be true for the event to trigger. */
+    std::vector<std::string> exprs; /**< The argument expressions. */
+    int priority;                   /**< Event/hook priority. */
+    hilti::Location location;       /**< Location where event is defined. */
+
+    // Computed information.
+    hilti::ID hook;                               /**< The name of the hook triggering the event. */
+    hilti::ID unit;                               /**< The fully qualified name of the unit type. */
+    std::optional<::spicy::type::Unit> unit_type; /**< The Spicy type of referenced unit. */
+    hilti::ID unit_module_id;                     /**< The name of the module the referenced unit is defined in. */
+    hilti::rt::filesystem::path unit_module_path; /**< The path of the module that the referenced unit is defined in. */
+    std::shared_ptr<glue::SpicyModule>
+        spicy_module; /**< State for the Spichy module the referenced unit is defined in. */
+
+    // TODO: The following aren't set yet.
+
+    // Code generation.
+    std::optional<::spicy::declaration::UnitHook> spicy_hook; /**< The generated Spicy hook. */
+    std::optional<hilti::declaration::Function> hilti_raise;  /**< The generated HILTI raise() function. */
+    std::vector<ExpressionAccessor> expression_accessors; /**< One HILTI function per expression to access the value. */
+};
+
+} // namespace glue
+
+/** Generates the glue code between Zeek and Spicy based on *.evt files. */
+class GlueCompiler {
+public:
+    /** Constructor. */
+    GlueCompiler() {}
+
+    /** Destructor. */
+    virtual ~GlueCompiler();
+
+    /** Parses an `*.evt` file, without generating any code yet. */
+    bool loadEvtFile(hilti::rt::filesystem::path& path);
+
+    /**
+     * Registers a Spicy file to generate glue code for, without generating
+     * any code yet.
+     *
+     * @param id ID of the module
+     * @param file path the module is loaded from
+     */
+    void addSpicyModule(const hilti::ID& id, const hilti::rt::filesystem::path& file);
+
+    /**
+     * Generates all glue code based on previously registered `*.evt` and
+     * Spicy files.
+     */
+    bool compile();
+
+    /** Returns all IDs that have been exported so far. */
+    const auto& exportedIDs() const { return _exports; }
+
+    /** Generates code to convert a HILTI type to a corresponding Zeek type at runtime. */
+    hilti::Result<hilti::Expression> createZeekType(const hilti::Type& t, const hilti::ID& id) const;
+
+    using RecordField = std::tuple<std::string, hilti::Type, bool>; /**< (ID, type, optional) */
+
+    /**
+     * Helper to retrieve a list of Zeek-side record fields that converting a
+     * Spicy unit to a Zeek record will yield.
+     *
+     * @param unit the unit type to retrieve fields for
+     * @return list of fields
+     */
+    static std::vector<RecordField> recordFields(const ::spicy::type::Unit& unit);
+
+protected:
+    friend class Driver;
+
+    /** Called by driver to initialized a provided glue compiler. */
+    void Init(Driver* driver, int zeek_version);
+
+private:
+    /**
+     * Filters input EVT file by applying preprocessor directives.
+     */
+    void preprocessEvtFile(hilti::rt::filesystem::path& path, std::istream& in, std::ostream& out);
+
+    /**
+     * Extracts the next semicolon-terminated block from an input stream,
+     * accounting for special EVT constructs like strings and comments.
+     *
+     * @param in stream to read from
+     * @param lineno pointer to integer that will be increased with line breaks
+     * @return the read block of data, with comments removed, and empty if end of
+     * data has been reached; error will be set if parsing failed
+     */
+    hilti::Result<std::string> getNextEvtBlock(std::istream& in, int* lineno) const;
+
+    // Parsers for parts from EVT files.
+    glue::ProtocolAnalyzer parseProtocolAnalyzer(const std::string& chunk);
+    glue::FileAnalyzer parseFileAnalyzer(const std::string& chunk);
+    glue::PacketAnalyzer parsePacketAnalyzer(const std::string& chunk);
+    glue::Event parseEvent(const std::string& chunk);
+
+    /** Computes the missing pieces for all `Event` instances.  */
+    bool PopulateEvents();
+
+    /**
+     * Create the Spicy hook for an event that triggers a corresponding Zeek
+     * event.
+     */
+    bool CreateSpicyHook(glue::Event* ev);
+
+    Driver* _driver = nullptr;        /**< driver provided to Init() */
+    std::optional<int> _zeek_version; /**< Zeek version provided to Init() */
+
+    std::map<hilti::ID, std::shared_ptr<glue::SpicyModule>> _spicy_modules;
+
+    std::vector<std::pair<hilti::ID, std::optional<hilti::ID>>>
+        _imports; /**< imports from EVT files, with ID and optional scope */
+    std::vector<std::tuple<hilti::ID, hilti::ID, hilti::Location>> _exports; /**< exports from EVT files */
+    std::vector<glue::Event> _events;                                        /**< events parsed from EVT files */
+    std::vector<glue::ProtocolAnalyzer> _protocol_analyzers; /**< protocol analyzers parsed from EVT files */
+    std::vector<glue::FileAnalyzer> _file_analyzers;         /**< file analyzers parsed from EVT files */
+    std::vector<glue::PacketAnalyzer> _packet_analyzers;     /**< file analyzers parsed from EVT files */
+    std::vector<hilti::Location> _locations;                 /**< location stack during parsing EVT files */
+};
+} // namespace zeek::spicy
+
+namespace std {
+template<>
+struct hash<zeek::spicy::glue::Event> {
+    std::size_t operator()(const zeek::spicy::glue::Event& e) {
+        // We only hash enough information here to unique identify the event.
+        return hilti::rt::hashCombine(std::hash<std::string>()(e.file), std::hash<std::string>()(e.name),
+                                      std::hash<std::string>()(e.path), std::hash<std::string>()(e.location));
+    }
+};
+} // namespace std
diff --git a/src/spicy/spicyz/main.cc b/src/spicy/spicyz/main.cc
new file mode 100644
index 0000000000..3945dfe7d8
--- /dev/null
+++ b/src/spicy/spicyz/main.cc
@@ -0,0 +1,282 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <getopt.h>
+
+#include <hilti/base/result.h>
+#include <hilti/base/util.h>
+
+#include "config.h"
+#include "driver.h"
+#include "glue-compiler.h"
+
+using namespace zeek::spicy;
+
+constexpr int OPT_CXX_LINK = 1000;
+
+static struct option long_driver_options[] = {{"abort-on-exceptions", required_argument, nullptr, 'A'},
+                                              {"show-backtraces", required_argument, nullptr, 'B'},
+                                              {"compiler-debug", required_argument, nullptr, 'D'},
+                                              {"cxx-link", required_argument, nullptr, OPT_CXX_LINK},
+                                              {"debug", no_argument, nullptr, 'd'},
+                                              {"debug-addl", required_argument, nullptr, 'X'},
+                                              {"disable-optimizations", no_argument, nullptr, 'g'},
+                                              {"dump-code", no_argument, nullptr, 'C'},
+                                              {"enable-profiling", no_argument, nullptr, 'Z'},
+                                              {"help", no_argument, nullptr, 'h'},
+                                              {"keep-tmps", no_argument, nullptr, 'T'},
+                                              {"library-path", required_argument, nullptr, 'L'},
+                                              {"output", required_argument, nullptr, 'o'},
+                                              {"output-c++", required_argument, nullptr, 'c'},
+                                              {"output-c++-files", no_argument, nullptr, 'x'},
+                                              {"print-module-path", no_argument, nullptr, 'M'},
+                                              {"print-plugin-path", no_argument, nullptr,
+                                               'P'}, // for backwards compatiblity
+                                              {"print-prefix-path", no_argument, nullptr, 'p'},
+                                              {"print-zeek-config", no_argument, nullptr, 'z'},
+                                              {"report-times", required_argument, nullptr, 'R'},
+                                              {"print-scripts-path", no_argument, nullptr, 'S'},
+                                              {"skip-validation", no_argument, nullptr, '!'},
+                                              {"version", no_argument, nullptr, 'v'},
+                                              {"version-number", no_argument, nullptr, 'V'},
+                                              {nullptr, 0, nullptr, 0}};
+
+static void usage() {
+    std::cerr << "Usage: spicyz [options] <inputs>\n"
+                 "\n"
+                 "  -c | --output-c++ <prefix>      Output generated C++ code.\n"
+                 "  -d | --debug                    Include debug instrumentation into generated code.\n"
+                 "  -g | --disable-optimizations    Disable HILTI-side optimizations of the generated "
+                 "code.\n"
+                 "  -o | --output-to <path>         Path for saving output.\n"
+                 "  -v | --version                  Print version information.\n"
+                 "  -x | --output-c++ <prefix>      Output generated C++ code into set of files.\n"
+                 "  -z | --print-zeek-config        Print path to zeek-config.\n"
+                 "  -A | --abort-on-exceptions      When executing compiled code, abort() instead of "
+                 "throwing HILTI "
+                 "exceptions.\n"
+                 "  -B | --show-backtraces          Include backtraces when reporting unhandled "
+                 "exceptions.\n"
+                 "  -C | --dump-code                Dump all generated code to disk for debugging.\n"
+                 "  -D | --compiler-debug <streams> Activate compile-time debugging output for given "
+                 "debug streams "
+                 "(comma-separated; 'help' for list).\n"
+                 "  -L | --library-path <path>      Add path to list of directories to search when "
+                 "importing modules.\n"
+                 "  -M | --print-module-path        Print the Zeek's search path for compiled Spicy modules.\n"
+                 "  -p | --print-prefix-path        Print installation prefix path.\n"
+                 "  -R | --report-times             Report a break-down of compiler's execution time.\n"
+                 "  -T | --keep-tmps                Do not delete any temporary files created.\n"
+                 "       --skip-validation          Don't validate ASTs (for debugging only).\n"
+                 "  -X | --debug-addl <addl>        Implies -d and adds selected additional "
+                 "instrumentation."
+                 "(comma-separated; see 'help' for list).\n"
+                 "       --cxx-link <lib>           Link specified static archive or shared library "
+                 "during JIT or to "
+                 "  -Z | --enable-profiling         Report profiling statistics after execution.\n"
+                 "\n"
+                 "Inputs can be *.spicy, *.evt, *.hlt, .cc/.cxx\n"
+                 "\n";
+}
+
+using hilti::Nothing;
+
+static hilti::Result<Nothing> parseOptions(int argc, char** argv, hilti::driver::Options* driver_options,
+                                           hilti::Options* compiler_options) {
+    while ( true ) {
+        int c = getopt_long(argc, argv, "ABc:Cdgx:X:D:L:Mo:pPRSTvhzZ", long_driver_options, nullptr);
+
+        if ( c == -1 )
+            break;
+
+        switch ( c ) {
+            case 'A': driver_options->abort_on_exceptions = true; break;
+
+            case 'B': driver_options->show_backtraces = true; break;
+
+            case 'c':
+                driver_options->output_cxx = true;
+                driver_options->output_cxx_prefix = optarg;
+                driver_options->execute_code = false;
+                compiler_options->cxx_namespace_extern =
+                    hilti::util::fmt("hlt_%s", hilti::rt::filesystem::path(optarg).stem().string());
+                compiler_options->cxx_namespace_intern =
+                    hilti::util::fmt("__hlt_%s", hilti::rt::filesystem::path(optarg).stem().string());
+                break;
+
+            case 'C': {
+                driver_options->dump_code = true;
+                break;
+            }
+
+            case 'd': {
+                compiler_options->debug = true;
+                break;
+            }
+
+            case 'g': {
+                driver_options->global_optimizations = false;
+                break;
+            }
+
+            case 'p': std::cout << configuration::InstallPrefix.native() << std::endl; return Nothing();
+
+            case 'P':
+                // For backwards compatibility with older plugins, print
+                // the path where the `cmake/` folder is located.
+                std::cout << configuration::DataPath().native() << std::endl;
+                return Nothing();
+
+            case 'x':
+                driver_options->output_cxx = true;
+                driver_options->output_cxx_prefix = optarg;
+                driver_options->execute_code = false;
+                driver_options->include_linker = true;
+                compiler_options->cxx_namespace_extern =
+                    hilti::util::fmt("hlt_%s", hilti::rt::filesystem::path(optarg).stem().string());
+                compiler_options->cxx_namespace_intern =
+                    hilti::util::fmt("__hlt_%s", hilti::rt::filesystem::path(optarg).stem().string());
+                break;
+
+            case 'X': {
+                auto arg = std::string(optarg);
+
+                if ( arg == "help" ) {
+                    std::cerr << "Additional debug instrumentation:\n";
+                    std::cerr << "   flow:     log function calls to debug stream \"hilti-flow\"\n";
+                    std::cerr << "   location: track current source code location for error reporting\n";
+                    std::cerr << "   trace:    log statements to debug stream \"hilti-trace\"\n";
+                    std::cerr << "\n";
+                    exit(0);
+                }
+
+                compiler_options->debug = true;
+
+                if ( auto r = compiler_options->parseDebugAddl(arg); ! r )
+                    return hilti::result::Error("nothing to do");
+
+                break;
+            }
+
+            case 'D': {
+                auto arg = std::string(optarg);
+
+                if ( arg == "help" ) {
+                    std::cerr << "Debug streams:\n";
+
+                    for ( const auto& s : hilti::logging::DebugStream::all() )
+                        std::cerr << "  " << s << "\n";
+
+                    std::cerr << "\n";
+                    return Nothing();
+                }
+
+                for ( const auto& s : hilti::util::split(arg, ",") ) {
+                    if ( ! driver_options->logger->debugEnable(s) )
+                        return hilti::result::Error(
+                            hilti::util::fmt("Unknown debug stream '%s', use 'help' for list", arg));
+                }
+
+                break;
+            }
+
+            case 'L': compiler_options->library_paths.emplace_back(std::string(optarg)); break;
+
+            case 'M': std::cout << configuration::ModulePath().native() << std::endl; return Nothing();
+
+            case 'o': driver_options->output_path = std::string(optarg); break;
+
+            case 'R': driver_options->report_times = true; break;
+
+            case 'S': std::cout << "" << std::endl; return Nothing(); // No longer needed, but left for compatibility.
+
+            case 'T':
+                driver_options->keep_tmps = true;
+                compiler_options->keep_tmps = true;
+                break;
+
+            case 'v': std::cout << configuration::ZeekVersion << std::endl; return Nothing();
+
+            case 'V': std::cout << ZEEK_VERSION_NUMBER << std::endl; return Nothing();
+
+            case 'z': {
+                if ( auto zcfg = getenv("ZEEK_CONFIG"); zcfg && *zcfg )
+                    std::cout << zcfg << std::endl;
+                else
+                    std::cout << configuration::InstallBinDir().native() << std::endl;
+
+                return Nothing();
+            }
+
+            case 'Z':
+#if SPICY_VERSION_NUMBER >= 10800
+                driver_options->enable_profiling = true;
+                compiler_options->enable_profiling = true;
+#else
+                std::cerr << "Profiling is not supported with this version of Spicy, ignoring '-Z'\n";
+#endif
+                break;
+
+            case OPT_CXX_LINK:
+#if SPICY_VERSION_NUMBER >= 10600
+                compiler_options->cxx_link.emplace_back(optarg);
+#else
+                return hilti::result::Error("option '--cxx-link' is only supported for Spicy 1.6 or newer");
+#endif
+                break;
+
+            case 'h': usage(); return Nothing();
+
+            case '!': compiler_options->skip_validation = true; break;
+
+            default: usage(); return hilti::result::Error("could not parse options");
+        }
+    }
+
+    while ( optind < argc )
+        driver_options->inputs.emplace_back(argv[optind++]);
+
+    if ( driver_options->inputs.empty() )
+        return hilti::result::Error("no input file given");
+
+    if ( driver_options->output_path.empty() && ! driver_options->output_cxx )
+        return hilti::result::Error("no output file for object code given, use -o <file>.hlto");
+
+    return Nothing();
+}
+
+int main(int argc, char** argv) {
+    Driver driver(std::make_unique<GlueCompiler>(), "", configuration::LibraryPath(), ZEEK_VERSION_NUMBER);
+
+    hilti::driver::Options driver_options;
+    driver_options.execute_code = true;
+    driver_options.include_linker = true;
+
+    auto compiler_options = driver.hiltiOptions();
+
+    if ( auto rc = parseOptions(argc, argv, &driver_options, &compiler_options); ! rc ) {
+        hilti::logger().error(rc.error().description());
+        return 1;
+    }
+
+    driver.setDriverOptions(std::move(driver_options));
+    driver.setCompilerOptions(std::move(compiler_options));
+    driver.initialize();
+
+    for ( const auto& p : driver.driverOptions().inputs ) {
+        if ( auto rc = driver.loadFile(p); ! rc ) {
+            hilti::logger().error(rc.error().description());
+            return 1;
+        }
+    }
+
+    if ( auto rc = driver.compile(); ! rc ) {
+        hilti::logger().error(rc.error().description());
+
+        if ( rc.error().context().size() )
+            hilti::logger().error(rc.error().context());
+
+        return 1;
+    }
+
+    return 0;
+}
diff --git a/src/telemetry/CMakeLists.txt b/src/telemetry/CMakeLists.txt
index b93bf72a1b..1c71ba42a3 100644
--- a/src/telemetry/CMakeLists.txt
+++ b/src/telemetry/CMakeLists.txt
@@ -1,7 +1 @@
-zeek_add_subdir_library(
-    telemetry
-    SOURCES
-        Manager.cc
-    BIFS
-        telemetry.bif
-)
+zeek_add_subdir_library(telemetry SOURCES Manager.cc BIFS telemetry.bif)
diff --git a/src/util-config.h.in b/src/util-config.h.in
deleted file mode 100644
index 6272fba391..0000000000
--- a/src/util-config.h.in
+++ /dev/null
@@ -1,3 +0,0 @@
-#define ZEEK_SCRIPT_INSTALL_PATH "@ZEEK_SCRIPT_INSTALL_PATH@"
-#define BRO_PLUGIN_INSTALL_PATH "@ZEEK_PLUGIN_DIR@"
-#define DEFAULT_ZEEKPATH "@DEFAULT_ZEEKPATH@"
diff --git a/src/util.cc b/src/util.cc
index f19e1c0ba0..cd9473244f 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -4,7 +4,7 @@
 
 #include "zeek/zeek-config.h"
 
-#include "util-config.h"
+#include "zeek/zeek-config-paths.h"
 
 #ifdef HAVE_DARWIN
 #include <mach/mach_init.h>
@@ -25,6 +25,7 @@
 #include <cstdarg>
 #include <cstdio>
 #include <cstdlib>
+#include <sstream>
 
 #if defined(HAVE_MALLINFO) || defined(HAVE_MALLINFO2)
 #include <malloc.h>
@@ -383,6 +384,23 @@ static bool write_random_seeds(const char* write_file, uint32_t seed,
 	return true;
 	}
 
+// Same as read_random_seeds() but takes seeds from a space separated string instead.
+static bool fill_random_seeds(const std::string& seed_string, uint32_t* seed,
+                              std::array<uint32_t, zeek::detail::KeyedHash::SEED_INIT_SIZE>& buf)
+	{
+	stringstream ss{seed_string};
+	if ( ! (ss >> *seed) )
+		return false;
+
+	for ( auto& v : buf )
+		{
+		if ( ! (ss >> v) )
+			return false;
+		}
+
+	return true;
+	}
+
 static bool zeek_rand_deterministic = false;
 static long int zeek_rand_state = 0;
 static bool first_seed_saved = false;
@@ -404,7 +422,8 @@ void seed_random(unsigned int seed)
 		srandom(seed);
 	}
 
-void init_random_seed(const char* read_file, const char* write_file, bool use_empty_seeds)
+void init_random_seed(const char* read_file, const char* write_file, bool use_empty_seeds,
+                      const std::string& seed_string)
 	{
 	std::array<uint32_t, zeek::detail::KeyedHash::SEED_INIT_SIZE> buf = {};
 	size_t pos = 0; // accumulates entropy
@@ -414,7 +433,14 @@ void init_random_seed(const char* read_file, const char* write_file, bool use_em
 	if ( read_file )
 		{
 		if ( ! read_random_seeds(read_file, &seed, buf) )
-			reporter->FatalError("Could not load seeds from file '%s'.\n", read_file);
+			reporter->FatalError("Could not load seeds from file '%s'.", read_file);
+		else
+			seeds_done = true;
+		}
+	else if ( ! seed_string.empty() )
+		{
+		if ( ! fill_random_seeds(seed_string, &seed, buf) )
+			reporter->FatalError("Could not load seeds from string");
 		else
 			seeds_done = true;
 		}
@@ -996,6 +1022,18 @@ void set_thread_name(const char* name, pthread_t tid)
 #endif
 	}
 
+int setvbuf(FILE* stream, char* buf, int type, size_t size)
+	{
+#ifndef _MSC_VER
+	return ::setvbuf(stream, NULL, type, size);
+#else
+	// TODO: this turns off buffering altogether because Windows wants us to pass a valid
+	// buffer and length if we're going to pass one of the other modes. We need to
+	// investigate the performance ramifications of this.
+	return ::setvbuf(stream, NULL, _IONBF, 0);
+#endif
+	}
+
 	} // namespace detail
 
 TEST_CASE("util get_unescaped_string")
diff --git a/src/util.h b/src/util.h
index 3988199368..d08a819488 100644
--- a/src/util.h
+++ b/src/util.h
@@ -138,12 +138,15 @@ extern bool ensure_dir(const char* dirname);
 
 extern void hmac_md5(size_t size, const unsigned char* bytes, unsigned char digest[16]);
 
-// Initializes RNGs for zeek::random_number() and MD5 usage.  If load_file is given,
-// the seeds (both random & MD5) are loaded from that file.  This takes
-// precedence over the "use_empty_seeds" argument, which just
-// zero-initializes all seed values.  If write_file is given, the seeds are
+// Initializes RNGs for zeek::random_number() and hmac-md5/siphash/highwayhash usage.
+// If load_file is given, the seeds (both random & hashes) are loaded from that file.  This
+// takes precedence over the "seed_string and "use_empty_seeds" arguments. The content of
+// "seed_string" is used as seeds if not empty next. Otherwise, when "use_empty_seeds" is
+// set it zero-initializes all seed values. If neither of these provides initial seed values,
+// platform specific random data is used as seeds. If write_file is given, the seeds are
 // written to that file.
-extern void init_random_seed(const char* load_file, const char* write_file, bool use_empty_seeds);
+extern void init_random_seed(const char* load_file, const char* write_file, bool use_empty_seeds,
+                             const std::string& seed_string = {});
 
 // Retrieves the initial seed computed after the very first call to
 // init_random_seed(). Repeated calls to init_random_seed() will not affect
@@ -305,6 +308,8 @@ double parse_rotate_base_time(const char* rotate_base_time);
 // This function is thread-safe.
 double calc_next_rotate(double current, double rotate_interval, double base);
 
+int setvbuf(FILE* stream, char* buf, int type, size_t size);
+
 	} // namespace detail
 
 template <class T> void delete_each(T* t)
diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc
index 768d4b7e7e..46d5eacef0 100644
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@@ -65,6 +65,9 @@
 #include "zeek/plugin/Manager.h"
 #include "zeek/script_opt/ScriptOpt.h"
 #include "zeek/session/Manager.h"
+#ifdef HAVE_SPICY
+#include "zeek/spicy/manager.h"
+#endif
 #include "zeek/supervisor/Supervisor.h"
 #include "zeek/telemetry/Manager.h"
 #include "zeek/threading/Manager.h"
@@ -191,6 +194,9 @@ zeek::Broker::Manager* zeek::broker_mgr = nullptr;
 zeek::telemetry::Manager* zeek::telemetry_mgr = nullptr;
 zeek::Supervisor* zeek::supervisor_mgr = nullptr;
 zeek::detail::trigger::Manager* zeek::detail::trigger_mgr = nullptr;
+#ifdef HAVE_SPICY
+zeek::spicy::Manager* zeek::spicy_mgr = nullptr;
+#endif
 
 std::vector<std::string> zeek::detail::zeek_script_prefixes;
 zeek::detail::Stmt* zeek::detail::stmts = nullptr;
@@ -437,6 +443,9 @@ static void terminate_zeek()
 	delete session_mgr;
 	delete fragment_mgr;
 	delete telemetry_mgr;
+#ifdef HAVE_SPICY
+	delete spicy_mgr;
+#endif
 
 	// free the global scope
 	pop_scope();
@@ -629,15 +638,22 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 		supervisor_mgr = new Supervisor(std::move(cfg), std::move(*stem));
 		}
 
+	std::string seed_string;
+	if ( const auto* seed_env = getenv("ZEEK_SEED_VALUES") )
+		seed_string = seed_env;
+
 	const char* seed_load_file = getenv("ZEEK_SEED_FILE");
 
 	if ( options.random_seed_input_file )
 		seed_load_file = options.random_seed_input_file->data();
 
+	if ( seed_load_file && *seed_load_file && ! seed_string.empty() )
+		reporter->FatalError("can't use ZEEK_SEED_VALUES together with ZEEK_SEED_FILE or -G");
+
 	util::detail::init_random_seed(
 		(seed_load_file && *seed_load_file ? seed_load_file : nullptr),
 		options.random_seed_output_file ? options.random_seed_output_file->data() : nullptr,
-		options.deterministic_mode);
+		options.deterministic_mode, seed_string);
 	// DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key));
 	init_hash_function();
 
@@ -712,6 +728,9 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 	auto broker_real_time = ! options.pcap_file && ! options.deterministic_mode;
 	broker_mgr = new Broker::Manager(broker_real_time);
 	trigger_mgr = new trigger::Manager();
+#ifdef HAVE_SPICY
+	spicy_mgr = new spicy::Manager(); // registers as plugin with the plugin manager
+#endif
 
 	plugin_mgr->InitPreScript();
 	file_mgr->InitPreScript();
diff --git a/src/zeek.bif b/src/zeek.bif
index 924cb720e1..c97e6e7d9c 100644
--- a/src/zeek.bif
+++ b/src/zeek.bif
@@ -354,6 +354,19 @@ function set_network_time%(nt: time%): bool
 	return zeek::val_mgr->True();
 	%}
 
+## Returns the timestamp of the last raised event. The timestamp reflects the
+## network time the event was intended to be executed. For scheduled events,
+## this is the time the event was scheduled for. For any other event, this is
+## the time when the event was created.
+##
+## Returns: The timestamp of the last raised event.
+##
+## .. zeek:see:: current_time set_network_time
+function current_event_time%(%): time
+	%{
+	return zeek::make_intrusive<zeek::TimeVal>(zeek::event_mgr.CurrentEventTime());
+	%}
+
 ## Returns a system environment variable.
 ##
 ## var: The name of the variable whose value to request.
@@ -1680,19 +1693,33 @@ function print_raw%(...%): bool
 ##
 ## Returns: The next lowest integer of *d* as :zeek:type:`double`.
 ##
-## .. zeek:see:: sqrt exp ln log10 pow
+## .. zeek:see:: ceil sqrt exp ln log2 log10 pow
 function floor%(d: double%): double
 	%{
 	return zeek::make_intrusive<zeek::DoubleVal>(floor(d));
 	%}
 
+## Computes the smallest integer greater or equal than the given :zeek:type:`double` value.
+## For example, ``ceil(3.14)`` returns ``4.0``, and ``ceil(-3.14)``
+## returns ``-3.0``.
+##
+## d: The :zeek:type:`double` to manipulate.
+##
+## Returns: The next lowest integer of *d* as :zeek:type:`double`.
+##
+## .. zeek:see:: floor sqrt exp ln log2 log10 pow
+function ceil%(d: double%): double
+	%{
+	return zeek::make_intrusive<zeek::DoubleVal>(ceil(d));
+	%}
+
 ## Computes the square root of a :zeek:type:`double`.
 ##
 ## x: The number to compute the square root of.
 ##
 ## Returns: The square root of *x*.
 ##
-## .. zeek:see:: floor exp ln log10 pow
+## .. zeek:see:: floor ceil exp ln log2 log10 pow
 function sqrt%(x: double%): double
 	%{
 	if ( x < 0 )
@@ -1710,7 +1737,7 @@ function sqrt%(x: double%): double
 ##
 ## Returns: *e* to the power of *d*.
 ##
-## .. zeek:see:: floor sqrt ln log10 pow
+## .. zeek:see:: floor ceil sqrt ln log2 log10 pow
 function exp%(d: double%): double
 	%{
 	return zeek::make_intrusive<zeek::DoubleVal>(exp(d));
@@ -1722,19 +1749,31 @@ function exp%(d: double%): double
 ##
 ## Returns: The natural logarithm of *d*.
 ##
-## .. zeek:see:: exp floor sqrt log10 pow
+## .. zeek:see:: floor ceil sqrt exp log2 log10 pow
 function ln%(d: double%): double
 	%{
 	return zeek::make_intrusive<zeek::DoubleVal>(log(d));
 	%}
 
+## Computes the base 2 logarithm of a number.
+##
+## d: The argument to the logarithm.
+##
+## Returns: The base 2 logarithm of *d*.
+##
+## .. zeek:see:: floor ceil sqrt exp ln log10 pow
+function log2%(d: double%): double
+	%{
+	return zeek::make_intrusive<zeek::DoubleVal>(log2(d));
+	%}
+
 ## Computes the common logarithm of a number.
 ##
 ## d: The argument to the logarithm.
 ##
 ## Returns: The common logarithm of *d*.
 ##
-## .. zeek:see:: exp floor sqrt ln pow
+## .. zeek:see:: floor ceil sqrt exp ln log2 pow
 function log10%(d: double%): double
 	%{
 	return zeek::make_intrusive<zeek::DoubleVal>(log10(d));
@@ -1748,7 +1787,7 @@ function log10%(d: double%): double
 ##
 ## Returns: The number *x* raised to the power *y*.
 ##
-## .. zeek:see:: exp floor sqrt ln log10
+## .. zeek:see:: floor ceil sqrt exp ln log2 log10
 function pow%(x: double, y: double%): double
 	%{
 	return zeek::make_intrusive<zeek::DoubleVal>(pow(x, y));
@@ -4671,6 +4710,16 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 		return zeek::val_mgr->False();
 		}
 
+	// If a user passed the analyzer ID of a root analyzer like TCP or UDP
+	// report an error but don't do anything. This likely is a scripting
+	// error as it should not be possible to get access to the analyzer id
+	// of a root analyzer without probing for it.
+	if ( ! a->Parent() )
+		{
+		zeek::reporter->Error("root analyzer %s cannot be removed", a->GetAnalyzerName());
+		return zeek::val_mgr->False();
+		}
+
 	// Remove in v6.1: Global disabling_analyzer is to be removed.
 	static auto disabling_analyzer_hook = id::find_func("disabling_analyzer");
 	static auto analyzer_disabling_analyzer_hook = id::find_func("Analyzer::disabling_analyzer");
@@ -5550,12 +5599,67 @@ function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr
 ##
 ## returns: a JSON formatted string.
 ##
-## .. zeek:see:: fmt cat cat_sep string_cat print_raw
+## .. zeek:see:: fmt cat cat_sep string_cat print_raw from_json
 function to_json%(val: any, only_loggable: bool &default=F, field_escape_pattern: pattern &default=/^_/%): string
 	%{
 	return val->ToJSON(only_loggable, field_escape_pattern);
 	%}
 
+## A function to convert a JSON string into Zeek values of a given type.
+##
+## Implicit conversion from JSON to Zeek types is implemented for:
+##
+##   - bool
+##   - int, count, real
+##   - interval from numbers as seconds
+##   - time from numbers as unix timestamp
+##   - port from strings in "80/tcp" notation
+##   - addr, subnet
+##   - enum
+##   - sets
+##   - vectors
+##   - records (from JSON objects)
+##
+## Optional or default record fields are allowed to be missing or null in the input.
+##
+## s: The JSON string to parse.
+##
+## t: Type of Zeek data.
+##
+## returns: A value of type t.
+##
+## .. zeek:see:: to_json
+function from_json%(s: string, t: any%): from_json_result
+	%{
+	static auto result_type = zeek::id::find_type<RecordType>("from_json_result");
+	static auto v_idx = result_type->FieldOffset("v");
+	static auto valid_idx = result_type->FieldOffset("valid");
+
+	auto rval = zeek::make_intrusive<RecordVal>(result_type);
+
+	if ( t->GetType()->Tag() != zeek::TYPE_TYPE )
+		{
+		rval->Assign(valid_idx, false);
+		zeek::emit_builtin_error("from_json() requires a type argument");
+		return rval;
+		}
+
+	auto res = zeek::detail::ValFromJSON(s->ToStdStringView(), t->AsType()->AsTypeType()->GetType());
+
+	if ( auto val = std::get_if<zeek::ValPtr>(&res) )
+		{
+		rval->Assign(v_idx, *val);
+		rval->Assign(valid_idx, true);
+		}
+	else
+		{
+		rval->Assign(valid_idx, false);
+		zeek::emit_builtin_error(std::get<std::string>(res).c_str());
+		}
+
+	return rval;
+	%}
+
 ## Compresses a given path by removing '..'s and the parent directory it
 ## references and also removing dual '/'s and extraneous '/./'s.
 ##
@@ -5717,8 +5821,19 @@ function has_module_events%(group: string%) : bool
 	                                           group->CheckString()));
 	%}
 
+## Returns true if Zeek was built with support for using Spicy analyzers (which
+# is the default).
+function have_spicy%(%) : bool
+	%{
+#ifdef HAVE_SPICY
+	return zeek::val_mgr->Bool(true);
+#else
+	return zeek::val_mgr->Bool(false);
+#endif
+	%}
+
 ## Returns true if Zeek was built with support for its in-tree Spicy analyzers
-## (which is the default).
+## (which is the default if Spicy support is available).
 function have_spicy_analyzers%(%) : bool
 	%{
 	return zeek::val_mgr->Bool(USE_SPICY_ANALYZERS);
diff --git a/src/zeekygen/CMakeLists.txt b/src/zeekygen/CMakeLists.txt
index eee80e8a65..6095ed6757 100644
--- a/src/zeekygen/CMakeLists.txt
+++ b/src/zeekygen/CMakeLists.txt
@@ -1,16 +1,15 @@
 zeek_add_subdir_library(
     zeekygen
     SOURCES
-        Manager.cc
-        Info.h
-        PackageInfo.cc
-        ScriptInfo.cc
-        IdentifierInfo.cc
-        Target.cc
-        Configuration.cc
-        ReStructuredTextTable.cc
-        utils.cc
-)
+    Manager.cc
+    Info.h
+    PackageInfo.cc
+    ScriptInfo.cc
+    IdentifierInfo.cc
+    Target.cc
+    Configuration.cc
+    ReStructuredTextTable.cc
+    utils.cc)
 
 # Treat BIFs as builtin (alternative mode).
 bif_target(zeekygen.bif)
diff --git a/src/zeekygen/utils.cc b/src/zeekygen/utils.cc
index 05779dc1bc..094cd58424 100644
--- a/src/zeekygen/utils.cc
+++ b/src/zeekygen/utils.cc
@@ -70,7 +70,7 @@ bool prettify_params(string& s)
 			if ( identifier == "Returns" )
 				subst = ":returns";
 			else
-				subst = ":" + identifier;
+				subst = ":param " + identifier;
 
 			s.replace(identifier_start_pos, identifier.size(), subst);
 			return true;
diff --git a/testing/CMakeLists.txt b/testing/CMakeLists.txt
index 7ae503924f..f3c12302e4 100644
--- a/testing/CMakeLists.txt
+++ b/testing/CMakeLists.txt
@@ -1,8 +1,21 @@
-install(DIRECTORY scripts/ DESTINATION ${ZEEK_CONFIG_BTEST_TOOLS_DIR}/scripts
-    USE_SOURCE_PERMISSIONS
-    FILES_MATCHING PATTERN "diff-*")
+install(
+    DIRECTORY scripts/
+    DESTINATION ${ZEEK_CONFIG_BTEST_TOOLS_DIR}/scripts
+    USE_SOURCE_PERMISSIONS FILES_MATCHING
+    PATTERN "diff-*")
 install(FILES btest/random.seed DESTINATION ${ZEEK_CONFIG_BTEST_TOOLS_DIR}/data)
 
-if ( INSTALL_BTEST_PCAPS )
+if (INSTALL_BTEST_PCAPS)
     install(DIRECTORY btest/Traces/ DESTINATION ${ZEEK_CONFIG_BTEST_TOOLS_DIR}/data/pcaps)
 endif ()
+
+# The remainder is for backwards-compatability with existing Spicy zkg packages.
+install(
+    CODE "execute_process( \
+    COMMAND ${CMAKE_COMMAND} -E create_symlink \
+    ${ZEEK_CONFIG_BTEST_TOOLS_DIR}/data \
+    ${CMAKE_INSTALL_PREFIX}/share/zeek/tests \
+    )")
+
+install(DIRECTORY scripts/spicy/ DESTINATION ${ZEEK_CONFIG_BTEST_TOOLS_DIR}/data/Scripts
+        USE_SOURCE_PERMISSIONS)
diff --git a/testing/btest/Baseline.cpp/broker.store.create-failure/zeek.err b/testing/btest/Baseline.cpp/broker.store.create-failure/zeek.err
index 3215cff134..5abfd1c321 100644
--- a/testing/btest/Baseline.cpp/broker.store.create-failure/zeek.err
+++ b/testing/btest/Baseline.cpp/broker.store.create-failure/zeek.err
@@ -1,6 +1,6 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/create-failure.zeek (C++), line 61: Failed to attach master store backend_failure: (<___>testing_btest__tmp_broker_store_create_failure_create_failure_zeek__zeek_init__33__zf())
-error in <...>/create-failure.zeek (C++), line 61: Could not create Broker master store '../fail' (<___>testing_btest__tmp_broker_store_create_failure_create_failure_zeek__zeek_init__33__zf())
+error in <...>/create-failure.zeek (C++), line 61: Failed to attach master store backend_failure: (<___>testing_btest__tmp_broker_store_create_failure_create_failure_zeek__zeek_init__34__zf())
+error in <...>/create-failure.zeek (C++), line 61: Could not create Broker master store '../fail' (<___>testing_btest__tmp_broker_store_create_failure_create_failure_zeek__zeek_init__34__zf())
 error in <no location>: invalid Broker store handle (broker::store::{})
 error in <no location>: invalid Broker store handle (broker::store::{})
 error in <no location>: invalid Broker store handle (broker::store::{})
diff --git a/testing/btest/Baseline.cpp/scripts.base.frameworks.logging.rotate-custom-fmt-func-bad/.stderr b/testing/btest/Baseline.cpp/scripts.base.frameworks.logging.rotate-custom-fmt-func-bad/.stderr
new file mode 100644
index 0000000000..4201f8f1d9
--- /dev/null
+++ b/testing/btest/Baseline.cpp/scripts.base.frameworks.logging.rotate-custom-fmt-func-bad/.stderr
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+1299481205.000000 warning: non-void function returning without a value: Test::my_rotation_format_func
+1299481205.000000 error: Failed to call Log::rotation_format_func for path test continuing with rotation to: ./test-11-03-07_06.00.05
+1299495605.000000 runtime error in compiled code: division by zero
+1299495605.000000 error: Failed to call Log::rotation_format_func for path test continuing with rotation to: ./test-11-03-07_10.00.05
diff --git a/testing/btest/Baseline.cpp/scripts.base.frameworks.logging.rotate-custom-fmt-func-bad/out b/testing/btest/Baseline.cpp/scripts.base.frameworks.logging.rotate-custom-fmt-func-bad/out
new file mode 100644
index 0000000000..b8c9d46382
--- /dev/null
+++ b/testing/btest/Baseline.cpp/scripts.base.frameworks.logging.rotate-custom-fmt-func-bad/out
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+test-1.log
+test-10.log
+test-11-03-07_06.00.05.log
+test-11-03-07_10.00.05.log
+test-2.log
+test-3.log
+test-5.log
+test-6.log
+test-7.log
+test-9.log
diff --git a/testing/btest/Baseline.cpp/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/out b/testing/btest/Baseline.cpp/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/out
new file mode 100644
index 0000000000..69ea064e38
--- /dev/null
+++ b/testing/btest/Baseline.cpp/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/out
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+XXXXXXXXXX.XXXXXX, disabling_analyzer, CHhAvVGS1DHFjwGM9, AllAnalyzers::ANALYZER_ANALYZER_SMTP, 3
diff --git a/testing/btest/Baseline.cpp/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/smtp.log b/testing/btest/Baseline.cpp/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/smtp.log
new file mode 100644
index 0000000000..26cb0b0369
--- /dev/null
+++ b/testing/btest/Baseline.cpp/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/smtp.log
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	cc	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	1	Bob-PC	bob@example.org	alice@example.org	-	-	-	-	-	-	-	-	-	-	-	250 OK id=1pgobK-001mwq-ED	127.0.0.1,127.0.0.1	-	F	(empty)
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	2	Bob-PC	-	alice@example.org	-	-	-	-	-	-	-	-	-	-	-	500 unrecognized command	127.0.0.1,127.0.0.1	-	F	(empty)
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	2	Bob-PC	bob@example.org	-	-	-	-	-	-	-	-	-	-	-	-	500 unrecognized command	127.0.0.1,127.0.0.1	-	F	(empty)
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline.cpp/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/weird.log b/testing/btest/Baseline.cpp/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/weird.log
new file mode 100644
index 0000000000..8b84b63d00
--- /dev/null
+++ b/testing/btest/Baseline.cpp/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/weird.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	smtp_mail_transaction_invalid	rcpt to missing mail from	F	zeek	SMTP
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	smtp_excessive_invalid_mail_transactions	-	F	zeek	SMTP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline.zam/bifs.cat_sep_errors-2/.stderr b/testing/btest/Baseline.zam/bifs.cat_sep_errors-2/.stderr
index 13a40bc019..f3eeb2d94b 100644
--- a/testing/btest/Baseline.zam/bifs.cat_sep_errors-2/.stderr
+++ b/testing/btest/Baseline.zam/bifs.cat_sep_errors-2/.stderr
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/cat_sep_errors.zeek, line 3: cat_sep() takes at least 2 arguments, got 1 (cat_sep(sep))
+error in <...>/cat_sep_errors.zeek, line 3: cat_sep() takes at least 2 argument(s), got 1 (cat_sep(sep))
diff --git a/testing/btest/Baseline.zam/bifs.cat_sep_errors-3/.stderr b/testing/btest/Baseline.zam/bifs.cat_sep_errors-3/.stderr
index c19b73c3da..3aec3d0c30 100644
--- a/testing/btest/Baseline.zam/bifs.cat_sep_errors-3/.stderr
+++ b/testing/btest/Baseline.zam/bifs.cat_sep_errors-3/.stderr
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/cat_sep_errors.zeek, line 4: expected type string for default, got count (cat_sep(sep, 1))
+error in <...>/cat_sep_errors.zeek, line 4: expected type string for def, got count (cat_sep(sep, 1))
diff --git a/testing/btest/Baseline.zam/bifs.cat_sep_errors-4/.stderr b/testing/btest/Baseline.zam/bifs.cat_sep_errors-4/.stderr
index 6416ec7c35..c414809740 100644
--- a/testing/btest/Baseline.zam/bifs.cat_sep_errors-4/.stderr
+++ b/testing/btest/Baseline.zam/bifs.cat_sep_errors-4/.stderr
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/cat_sep_errors.zeek, line 4: expected type string for separator, got count (cat_sep(1, default))
+error in <...>/cat_sep_errors.zeek, line 4: expected type string for sep, got count (cat_sep(1, default))
diff --git a/testing/btest/Baseline.zam/bifs.cat_sep_errors-5/.stderr b/testing/btest/Baseline.zam/bifs.cat_sep_errors-5/.stderr
index 13009f26f2..8ecf9f22a3 100644
--- a/testing/btest/Baseline.zam/bifs.cat_sep_errors-5/.stderr
+++ b/testing/btest/Baseline.zam/bifs.cat_sep_errors-5/.stderr
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/cat_sep_errors.zeek, line 3: expected type string for separator, got record (cat_sep(<internal>::#0, default))
+error in <...>/cat_sep_errors.zeek, line 3: expected type string for sep, got record (cat_sep(<internal>::#0, default))
diff --git a/testing/btest/Baseline.zam/bifs.cat_sep_errors/.stderr b/testing/btest/Baseline.zam/bifs.cat_sep_errors/.stderr
index f3813297fe..c0a49beadf 100644
--- a/testing/btest/Baseline.zam/bifs.cat_sep_errors/.stderr
+++ b/testing/btest/Baseline.zam/bifs.cat_sep_errors/.stderr
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/cat_sep_errors.zeek, line 6: cat_sep() takes at least 2 arguments, got 0 (cat_sep())
+error in <...>/cat_sep_errors.zeek, line 6: cat_sep() takes at least 2 argument(s), got 0 (cat_sep())
diff --git a/testing/btest/Baseline.zam/scripts.base.frameworks.cluster.publish-hrw-type-check/.stderr b/testing/btest/Baseline.zam/scripts.base.frameworks.cluster.publish-hrw-type-check/.stderr
new file mode 100644
index 0000000000..02602c34eb
--- /dev/null
+++ b/testing/btest/Baseline.zam/scripts.base.frameworks.cluster.publish-hrw-type-check/.stderr
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/publish-hrw-type-check.zeek, line 15: expected type Cluster::Pool for pool (Cluster::publish_hrw(/topic, 1234/tcp, test_send, <internal>::#0))
+error in <...>/publish-hrw-type-check.zeek, line 17: expected type Cluster::Pool for pool (Cluster::publish_hrw(0, 1234/tcp, test_send, <internal>::#1))
+error in <...>/publish-hrw-type-check.zeek, line 19: expected type Cluster::Pool for pool (Cluster::publish_rr(/topic, val, test_send, <internal>::#2))
+error in <...>/publish-hrw-type-check.zeek, line 21: expected type string for key, got port (Cluster::publish_rr(<internal>::#3, 1234/tcp, test_send, <internal>::#4))
diff --git a/testing/btest/Baseline.zam/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/out b/testing/btest/Baseline.zam/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/out
new file mode 100644
index 0000000000..69ea064e38
--- /dev/null
+++ b/testing/btest/Baseline.zam/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/out
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+XXXXXXXXXX.XXXXXX, disabling_analyzer, CHhAvVGS1DHFjwGM9, AllAnalyzers::ANALYZER_ANALYZER_SMTP, 3
diff --git a/testing/btest/Baseline.zam/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/smtp.log b/testing/btest/Baseline.zam/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/smtp.log
new file mode 100644
index 0000000000..26cb0b0369
--- /dev/null
+++ b/testing/btest/Baseline.zam/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/smtp.log
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	cc	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	1	Bob-PC	bob@example.org	alice@example.org	-	-	-	-	-	-	-	-	-	-	-	250 OK id=1pgobK-001mwq-ED	127.0.0.1,127.0.0.1	-	F	(empty)
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	2	Bob-PC	-	alice@example.org	-	-	-	-	-	-	-	-	-	-	-	500 unrecognized command	127.0.0.1,127.0.0.1	-	F	(empty)
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	2	Bob-PC	bob@example.org	-	-	-	-	-	-	-	-	-	-	-	-	500 unrecognized command	127.0.0.1,127.0.0.1	-	F	(empty)
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline.zam/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/weird.log b/testing/btest/Baseline.zam/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/weird.log
new file mode 100644
index 0000000000..8b84b63d00
--- /dev/null
+++ b/testing/btest/Baseline.zam/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/weird.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	smtp_mail_transaction_invalid	rcpt to missing mail from	F	zeek	SMTP
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	smtp_excessive_invalid_mail_transactions	-	F	zeek	SMTP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/bifs.disable_analyzer-invalid-aid/out b/testing/btest/Baseline/bifs.disable_analyzer-invalid-aid/out
new file mode 100644
index 0000000000..13952f2a52
--- /dev/null
+++ b/testing/btest/Baseline/bifs.disable_analyzer-invalid-aid/out
@@ -0,0 +1,35 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer TCP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer TCP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer TCP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer TCP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer TCP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer TCP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer TCP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer TCP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer TCP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer TCP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
+XXXXXXXXXX.XXXXXX error: root analyzer UDP cannot be removed
diff --git a/testing/btest/Baseline/bifs.from_json-10/.stderr b/testing/btest/Baseline/bifs.from_json-10/.stderr
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-10/.stderr
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/Baseline/bifs.from_json-10/.stdout b/testing/btest/Baseline/bifs.from_json-10/.stdout
new file mode 100644
index 0000000000..c7202a240c
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-10/.stdout
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v={
+fe80::/64,
+192.168.0.0/16
+}, valid=T]
+[v=[1, 3, 4], valid=T]
diff --git a/testing/btest/Baseline/bifs.from_json-11/.stderr b/testing/btest/Baseline/bifs.from_json-11/.stderr
new file mode 100644
index 0000000000..1438154b7a
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-11/.stderr
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/from_json.zeek, line 8: required field Foo$hello is missing in JSON (from_json({"t":null}, to_any_coerceFoo))
+error in <...>/from_json.zeek, line 9: required field Foo$hello is null in JSON (from_json({"hello": null, "t": true}, to_any_coerceFoo))
diff --git a/testing/btest/Baseline/bifs.from_json-11/.stdout b/testing/btest/Baseline/bifs.from_json-11/.stdout
new file mode 100644
index 0000000000..d288024480
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-11/.stdout
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=<uninitialized>, valid=F]
+[v=<uninitialized>, valid=F]
diff --git a/testing/btest/Baseline/bifs.from_json-12/.stderr b/testing/btest/Baseline/bifs.from_json-12/.stderr
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-12/.stderr
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/Baseline/bifs.from_json-12/.stdout b/testing/btest/Baseline/bifs.from_json-12/.stdout
new file mode 100644
index 0000000000..7673a47ea5
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-12/.stdout
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=[hello=Hello!], valid=T]
diff --git a/testing/btest/Baseline/bifs.from_json-2/.stderr b/testing/btest/Baseline/bifs.from_json-2/.stderr
new file mode 100644
index 0000000000..1ce3c885b8
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-2/.stderr
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/from_json.zeek, line 4: from_json() requires a type argument (from_json([], to_any_coerce10))
diff --git a/testing/btest/Baseline/bifs.from_json-2/.stdout b/testing/btest/Baseline/bifs.from_json-2/.stdout
new file mode 100644
index 0000000000..aee95c8a8e
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-2/.stdout
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=<uninitialized>, valid=F]
diff --git a/testing/btest/Baseline/bifs.from_json-3/.stderr b/testing/btest/Baseline/bifs.from_json-3/.stderr
new file mode 100644
index 0000000000..cd9437efcb
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-3/.stderr
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/from_json.zeek, line 4: JSON parse error: Missing a closing quotation mark in string. Offset: 5 (from_json({"hel, to_any_coercestring_vec))
diff --git a/testing/btest/Baseline/bifs.from_json-3/.stdout b/testing/btest/Baseline/bifs.from_json-3/.stdout
new file mode 100644
index 0000000000..aee95c8a8e
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-3/.stdout
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=<uninitialized>, valid=F]
diff --git a/testing/btest/Baseline/bifs.from_json-4/.stderr b/testing/btest/Baseline/bifs.from_json-4/.stderr
new file mode 100644
index 0000000000..210255a35f
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-4/.stderr
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/from_json.zeek, line 9: cannot convert JSON type 'array' to Zeek type 'bool' (from_json([], to_any_coercebool_t))
+error in <...>/from_json.zeek, line 10: cannot convert JSON type 'string' to Zeek type 'bool' (from_json({"a": "hello"}, to_any_coerceFoo))
diff --git a/testing/btest/Baseline/bifs.from_json-4/.stdout b/testing/btest/Baseline/bifs.from_json-4/.stdout
new file mode 100644
index 0000000000..d288024480
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-4/.stdout
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=<uninitialized>, valid=F]
+[v=<uninitialized>, valid=F]
diff --git a/testing/btest/Baseline/bifs.from_json-5/.stderr b/testing/btest/Baseline/bifs.from_json-5/.stderr
new file mode 100644
index 0000000000..b08347df71
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-5/.stderr
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/from_json.zeek, line 4: tables are not supported (from_json([], to_any_coercetable_string_of_string))
diff --git a/testing/btest/Baseline/bifs.from_json-5/.stdout b/testing/btest/Baseline/bifs.from_json-5/.stdout
new file mode 100644
index 0000000000..aee95c8a8e
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-5/.stdout
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=<uninitialized>, valid=F]
diff --git a/testing/btest/Baseline/bifs.from_json-6/.stderr b/testing/btest/Baseline/bifs.from_json-6/.stderr
new file mode 100644
index 0000000000..fa015b8031
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-6/.stderr
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/from_json.zeek, line 5: wrong port format, must be <...>/(tcp|udp|icmp|unknown)/ (from_json("80", to_any_coerceport_t))
diff --git a/testing/btest/Baseline/bifs.from_json-6/.stdout b/testing/btest/Baseline/bifs.from_json-6/.stdout
new file mode 100644
index 0000000000..aee95c8a8e
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-6/.stdout
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=<uninitialized>, valid=F]
diff --git a/testing/btest/Baseline/bifs.from_json-7/.stderr b/testing/btest/Baseline/bifs.from_json-7/.stderr
new file mode 100644
index 0000000000..b3789904c6
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-7/.stderr
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/from_json.zeek, line 5: index type doesn't match (from_json([[1, false], [2]], to_any_coerceset_t))
+error in <...>/from_json.zeek, line 6: cannot convert JSON type 'number' to Zeek type 'bool' (from_json([[1, false], [2, 1]], to_any_coerceset_t))
diff --git a/testing/btest/Baseline/bifs.from_json-7/.stdout b/testing/btest/Baseline/bifs.from_json-7/.stdout
new file mode 100644
index 0000000000..d288024480
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-7/.stdout
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=<uninitialized>, valid=F]
+[v=<uninitialized>, valid=F]
diff --git a/testing/btest/Baseline/bifs.from_json-8/.stderr b/testing/btest/Baseline/bifs.from_json-8/.stderr
new file mode 100644
index 0000000000..18bb4fa2eb
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-8/.stderr
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error: error compiling pattern /^?(.|\n)*(([[:print:]]{-}[[:alnum:]]foo))/
+error in <...>/from_json.zeek, line 5: error compiling pattern (from_json("/([[:print:]]{-}[[:alnum:]]foo)/", to_any_coercepattern_t))
diff --git a/testing/btest/Baseline/bifs.from_json-8/.stdout b/testing/btest/Baseline/bifs.from_json-8/.stdout
new file mode 100644
index 0000000000..aee95c8a8e
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-8/.stdout
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=<uninitialized>, valid=F]
diff --git a/testing/btest/Baseline/bifs.from_json-9/.stderr b/testing/btest/Baseline/bifs.from_json-9/.stderr
new file mode 100644
index 0000000000..60cbecd370
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-9/.stderr
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/from_json.zeek, line 7: 'Yellow' is not a valid enum for 'Color'. (from_json("Yellow", to_any_coerceColor))
diff --git a/testing/btest/Baseline/bifs.from_json-9/.stdout b/testing/btest/Baseline/bifs.from_json-9/.stdout
new file mode 100644
index 0000000000..aee95c8a8e
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json-9/.stdout
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=<uninitialized>, valid=F]
diff --git a/testing/btest/Baseline/bifs.from_json/.stderr b/testing/btest/Baseline/bifs.from_json/.stderr
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json/.stderr
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/Baseline/bifs.from_json/.stdout b/testing/btest/Baseline/bifs.from_json/.stdout
new file mode 100644
index 0000000000..24f35f7b9b
--- /dev/null
+++ b/testing/btest/Baseline/bifs.from_json/.stdout
@@ -0,0 +1,8 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[v=[hello=world, t=T, f=F, n=<uninitialized>, m=<uninitialized>, def=123, i=123, pi=3.1416, a=[1, 2, 3, 4], c1=A::Blue, p=1500/tcp, ti=1681652265.042767, it=1.0 hr 23.0 mins 20.0 secs, ad=127.0.0.1, s=::1/128, re=/^?(a)$?/, su={
+aa:bb::/32,
+192.168.0.0/16
+}, se={
+[192.168.0.1, 80/tcp] ,
+[2001:db8::1, 8080/udp] 
+}], valid=T]
diff --git a/testing/btest/Baseline/bifs.math/out b/testing/btest/Baseline/bifs.math/out
index 8960b7c859..7ba88b0911 100644
--- a/testing/btest/Baseline/bifs.math/out
+++ b/testing/btest/Baseline/bifs.math/out
@@ -3,8 +3,13 @@
 2.0
 -4.0
 -3.0
+4.0
+3.0
+-3.0
+-2.0
 1.772005
 23.103867
 1.144223
 0.49693
+1.650765
 22.21669
diff --git a/testing/btest/Baseline/bifs.records_fields/out b/testing/btest/Baseline/bifs.records_fields/out
index 5d4f16243e..6a6921fc6a 100644
--- a/testing/btest/Baseline/bifs.records_fields/out
+++ b/testing/btest/Baseline/bifs.records_fields/out
@@ -1,66 +1,68 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 [a=42, b=Foo, c=<uninitialized>, d=Bar, e=tt]
 {
-[a] = [type_name=count, log=F, value=42, default_val=<uninitialized>],
-[d] = [type_name=string, log=T, value=Bar, default_val=<uninitialized>],
-[b] = [type_name=string, log=F, value=Foo, default_val=Foo],
-[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[e] = [type_name=any, log=F, value=tt, default_val=<uninitialized>]
+[a] = [type_name=count, log=F, value=42, default_val=<uninitialized>, optional=F],
+[d] = [type_name=string, log=T, value=Bar, default_val=<uninitialized>, optional=F],
+[b] = [type_name=string, log=F, value=Foo, default_val=Foo, optional=T],
+[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=T],
+[e] = [type_name=any, log=F, value=tt, default_val=<uninitialized>, optional=F]
 }
-F
+c value, F
+c default , F
+c optional, T
 {
-[a] = [type_name=bool, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[d] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>],
-[f] = [type_name=enum Monochrome::color, log=T, value=<uninitialized>, default_val=<uninitialized>],
-[b] = [type_name=string, log=F, value=<uninitialized>, default_val=Bar],
-[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[m] = [type_name=record myrec, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[e] = [type_name=enum color, log=F, value=<uninitialized>, default_val=BLUE]
+[a] = [type_name=bool, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[d] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[f] = [type_name=enum Monochrome::color, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[b] = [type_name=string, log=F, value=<uninitialized>, default_val=Bar, optional=T],
+[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=T],
+[m] = [type_name=record myrec, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[e] = [type_name=enum color, log=F, value=<uninitialized>, default_val=BLUE, optional=T]
 }
 {
-[a] = [type_name=bool, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[d] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>],
-[f] = [type_name=enum Monochrome::color, log=T, value=<uninitialized>, default_val=<uninitialized>],
-[b] = [type_name=string, log=F, value=<uninitialized>, default_val=Bar],
-[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[m] = [type_name=record myrec, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[e] = [type_name=enum color, log=F, value=<uninitialized>, default_val=BLUE]
+[a] = [type_name=bool, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[d] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[f] = [type_name=enum Monochrome::color, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[b] = [type_name=string, log=F, value=<uninitialized>, default_val=Bar, optional=T],
+[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=T],
+[m] = [type_name=record myrec, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[e] = [type_name=enum color, log=F, value=<uninitialized>, default_val=BLUE, optional=T]
 }
 {
-[a] = [type_name=count, log=F, value=42, default_val=<uninitialized>],
-[d] = [type_name=string, log=T, value=Bar, default_val=<uninitialized>],
-[b] = [type_name=string, log=F, value=Foo, default_val=Foo],
-[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[e] = [type_name=any, log=F, value=mystring, default_val=<uninitialized>]
+[a] = [type_name=count, log=F, value=42, default_val=<uninitialized>, optional=F],
+[d] = [type_name=string, log=T, value=Bar, default_val=<uninitialized>, optional=F],
+[b] = [type_name=string, log=F, value=Foo, default_val=Foo, optional=T],
+[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=T],
+[e] = [type_name=any, log=F, value=mystring, default_val=<uninitialized>, optional=F]
 }
 {
 
 }
 {
-[myfield] = [type_name=bool, log=F, value=<uninitialized>, default_val=<uninitialized>]
+[myfield] = [type_name=bool, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F]
 }
 {
-[a] = [type_name=bool, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[d] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>],
-[f] = [type_name=enum Monochrome::color, log=T, value=<uninitialized>, default_val=<uninitialized>],
-[b] = [type_name=string, log=F, value=<uninitialized>, default_val=Bar],
-[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[m] = [type_name=record myrec, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[e] = [type_name=enum color, log=F, value=<uninitialized>, default_val=BLUE]
+[a] = [type_name=bool, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[d] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[f] = [type_name=enum Monochrome::color, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[b] = [type_name=string, log=F, value=<uninitialized>, default_val=Bar, optional=T],
+[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=T],
+[m] = [type_name=record myrec, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[e] = [type_name=enum color, log=F, value=<uninitialized>, default_val=BLUE, optional=T]
 }
 {
-[a] = [type_name=count, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[d] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>],
-[b] = [type_name=string, log=F, value=<uninitialized>, default_val=Foo],
-[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[e] = [type_name=any, log=F, value=<uninitialized>, default_val=<uninitialized>]
+[a] = [type_name=count, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[d] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[b] = [type_name=string, log=F, value=<uninitialized>, default_val=Foo, optional=T],
+[c] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=T],
+[e] = [type_name=any, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F]
 }
 {
-[a] = [type_name=set[double], log=F, value=<uninitialized>, default_val=<uninitialized>],
-[d] = [type_name=table[double,string] of table[string] of vector of string, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[f] = [type_name=vector of enum color, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[b] = [type_name=set[double,string], log=F, value=<uninitialized>, default_val=<uninitialized>],
-[c] = [type_name=set[double,record tt], log=F, value=<uninitialized>, default_val=<uninitialized>],
-[g] = [type_name=table[string] of enum color, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[e] = [type_name=vector of vector of string, log=F, value=<uninitialized>, default_val=<uninitialized>]
+[a] = [type_name=set[double], log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[d] = [type_name=table[double,string] of table[string] of vector of string, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[f] = [type_name=vector of enum color, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[b] = [type_name=set[double,string], log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[c] = [type_name=set[double,record tt], log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[g] = [type_name=table[string] of enum color, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[e] = [type_name=vector of vector of string, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=F]
 }
diff --git a/testing/btest/Baseline/broker.remote_event_auto_ts/recv.recv.out b/testing/btest/Baseline/broker.remote_event_auto_ts/recv.recv.out
new file mode 100644
index 0000000000..d9ad0dd05e
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_auto_ts/recv.recv.out
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+receiver got ping: my-message-a intended for 1989-12-12-22:00:00 stamped to 1989-12-12-22:00:00 (is_remote = T)
+receiver got ping: my-message-b intended for 1989-12-12-22:15:00 stamped to 1989-12-12-22:15:00 (is_remote = T)
+receiver got ping: my-message-c intended for 1989-12-12-22:30:00 stamped to 1989-12-12-22:30:00 (is_remote = T)
+receiver got ping: my-message-a intended for 1989-12-12-23:00:00 stamped to 1989-12-12-23:00:00 (is_remote = T)
+receiver got ping: my-message-b intended for 1989-12-12-23:15:00 stamped to 1989-12-12-23:15:00 (is_remote = T)
+receiver got ping: my-message-c intended for 1989-12-12-23:30:00 stamped to 1989-12-12-23:30:00 (is_remote = T)
+receiver got ping: my-message-a intended for 1989-12-13-00:00:00 stamped to 1989-12-13-00:00:00 (is_remote = T)
+receiver got ping: my-message-b intended for 1989-12-13-00:15:00 stamped to 1989-12-13-00:15:00 (is_remote = T)
+receiver got ping: my-message-c intended for 1989-12-13-00:30:00 stamped to 1989-12-13-00:30:00 (is_remote = T)
diff --git a/testing/btest/Baseline/broker.remote_event_auto_ts/send.send.out b/testing/btest/Baseline/broker.remote_event_auto_ts/send.send.out
new file mode 100644
index 0000000000..2a0a5c48ee
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_auto_ts/send.send.out
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+sender added peer: endpoint=127.0.0.1 msg=handshake successful
+>> Run 1 (1989-12-12-22:00:00)
+>> Run 2 (1989-12-12-23:00:00)
+>> Run 3 (1989-12-13-00:00:00)
+>> Run 4 (1989-12-13-01:00:00)
+>> Run 5 (1989-12-13-02:00:00)
+>> Run 6 (1989-12-13-03:00:00)
+>> Run 7 (1989-12-13-04:00:00)
+>> Run 8 (1989-12-13-05:00:00)
+>> Run 9 (1989-12-13-06:00:00)
+>> Run 10 (1989-12-13-07:00:00)
+sender lost peer: endpoint=127.0.0.1 msg=lost connection to remote peer
diff --git a/testing/btest/Baseline/broker.remote_event_ts/recv.recv.out b/testing/btest/Baseline/broker.remote_event_ts/recv.recv.out
new file mode 100644
index 0000000000..a79faa982e
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_ts/recv.recv.out
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+receiver got ping: my-message intended for 1989-12-12-22:00:00 stamped to 1989-12-12-22:00:00 (is_remote = T)
+receiver got ping: my-message intended for 1989-12-12-23:00:00 stamped to 1989-12-12-23:00:00 (is_remote = T)
+receiver got ping: my-message intended for 1989-12-13-00:00:00 stamped to 1989-12-13-00:00:00 (is_remote = T)
+receiver got ping: my-message intended for 1989-12-13-01:00:00 stamped to 1989-12-13-01:00:00 (is_remote = T)
+receiver got ping: my-message intended for 1989-12-13-02:00:00 stamped to 1989-12-13-02:00:00 (is_remote = T)
+receiver got ping: my-message intended for 1989-12-13-03:00:00 stamped to 1989-12-13-03:00:00 (is_remote = T)
+receiver got ping: my-message intended for 1989-12-13-04:00:00 stamped to 1989-12-13-04:00:00 (is_remote = T)
+receiver got ping: my-message intended for 1989-12-13-05:00:00 stamped to 1989-12-13-05:00:00 (is_remote = T)
+receiver got ping: my-message intended for 1989-12-13-06:00:00 stamped to 1989-12-13-06:00:00 (is_remote = T)
+receiver got ping: my-message intended for 1989-12-13-07:00:00 stamped to 1989-12-13-07:00:00 (is_remote = T)
diff --git a/testing/btest/Baseline/broker.remote_event_ts/send.send.out b/testing/btest/Baseline/broker.remote_event_ts/send.send.out
new file mode 100644
index 0000000000..2a0a5c48ee
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_ts/send.send.out
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+sender added peer: endpoint=127.0.0.1 msg=handshake successful
+>> Run 1 (1989-12-12-22:00:00)
+>> Run 2 (1989-12-12-23:00:00)
+>> Run 3 (1989-12-13-00:00:00)
+>> Run 4 (1989-12-13-01:00:00)
+>> Run 5 (1989-12-13-02:00:00)
+>> Run 6 (1989-12-13-03:00:00)
+>> Run 7 (1989-12-13-04:00:00)
+>> Run 8 (1989-12-13-05:00:00)
+>> Run 9 (1989-12-13-06:00:00)
+>> Run 10 (1989-12-13-07:00:00)
+sender lost peer: endpoint=127.0.0.1 msg=lost connection to remote peer
diff --git a/testing/btest/Baseline/broker.remote_event_ts_compat/client.output b/testing/btest/Baseline/broker.remote_event_ts_compat/client.output
new file mode 100644
index 0000000000..d61cedbbe1
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_ts_compat/client.output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+send event without timestamp
+send event with timestamp
diff --git a/testing/btest/Baseline/broker.remote_event_ts_compat/server.output b/testing/btest/Baseline/broker.remote_event_ts_compat/server.output
new file mode 100644
index 0000000000..34a7c3a50b
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_ts_compat/server.output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+added peer: endpoint=127.0.0.1 msg=handshake successful
+got my_event(without ts) stamped to 42.0 at network time 42.0
+got my_event(with ts) stamped to 23.0 at network time 42.0
+lost peer: endpoint=127.0.0.1 msg=lost connection to remote peer
diff --git a/testing/btest/Baseline/broker.web-socket-events-metadata/client.output b/testing/btest/Baseline/broker.web-socket-events-metadata/client.output
new file mode 100644
index 0000000000..5fa2aec2b5
--- /dev/null
+++ b/testing/btest/Baseline/broker.web-socket-events-metadata/client.output
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ping args ['my-message', 1] metadata [{'@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'timestamp', 'data': '2023-04-18T12:13:14.000'}]}]
+ping args ['my-message', 2] metadata [{'@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'timestamp', 'data': '2023-04-18T12:13:24.000'}]}]
+ping args ['my-message', 3] metadata [{'@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'timestamp', 'data': '2023-04-18T12:13:34.000'}]}]
diff --git a/testing/btest/Baseline/broker.web-socket-events-metadata/server.output b/testing/btest/Baseline/broker.web-socket-events-metadata/server.output
new file mode 100644
index 0000000000..92f0a20dbf
--- /dev/null
+++ b/testing/btest/Baseline/broker.web-socket-events-metadata/server.output
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+sender added peer: endpoint=127.0.0.1 msg=handshake successful
+sender got pong: my-message, 1 network_time=1681819994.0 current_event_time=1681819995.0
+sender got pong: my-message, 2 network_time=1681820004.0 current_event_time=1681819996.0
+sender got pong: my-message, 3 network_time=1681820014.0 current_event_time=1681819997.0
+sender lost peer: endpoint=127.0.0.1 msg=lost connection to client
diff --git a/testing/btest/Baseline/core.network_time.broker/manager..stdout b/testing/btest/Baseline/core.network_time.broker/manager..stdout
index 658d123ea1..d4c454b893 100644
--- a/testing/btest/Baseline/core.network_time.broker/manager..stdout
+++ b/testing/btest/Baseline/core.network_time.broker/manager..stdout
@@ -1,4 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 manager: listening
-manager: peer added, publishing do_continue_processing
+manager: peer added, publishing timer_tick() events
 manager: peer lost, terminating
diff --git a/testing/btest/Baseline/core.network_time.broker/worker..stdout b/testing/btest/Baseline/core.network_time.broker/worker..stdout
index d5abbff6b9..9ff86f6f95 100644
--- a/testing/btest/Baseline/core.network_time.broker/worker..stdout
+++ b/testing/btest/Baseline/core.network_time.broker/worker..stdout
@@ -17,7 +17,7 @@
 44.750, timer_tick, 13, 45.0
 45.000, timer, second timer (3 sec)
 45.000, timer_tick, 14, 45.25
-45.250, timer, third timer (3.5 sec)
+45.250, timer, third timer (3.25 sec)
 45.250, timer_tick, 15, 45.5
 45.500, timer_tick, 16, 45.75
 45.750, timer_tick, 17, 46.0
diff --git a/testing/btest/Baseline/core.raw-truncation/weird.log b/testing/btest/Baseline/core.raw-truncation/weird.log
new file mode 100644
index 0000000000..92120b6cc6
--- /dev/null
+++ b/testing/btest/Baseline/core.raw-truncation/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_ethernet_frame	-	F	zeek	ETHERNET
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.raw_packet/output b/testing/btest/Baseline/core.raw_packet/output
index 28a56fd165..d3a7309fb9 100644
--- a/testing/btest/Baseline/core.raw_packet/output
+++ b/testing/btest/Baseline/core.raw_packet/output
@@ -1,49 +1,49 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[l2=[encap=LINK_ETHERNET, len=215, cap_len=215, src=e8:de:27:ff:c0:78, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=201, id=0, ttl=64, p=17, src=192.168.1.1, dst=255.255.255.255], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=40190/udp, dport=7437/udp, ulen=181], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=68, cap_len=68, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=54, id=52261, ttl=64, p=6, src=192.168.1.103, dst=64.4.23.176], ip6=<uninitialized>, tcp=[sport=65493/tcp, dport=40031/tcp, seq=2642773190, ack=2891276360, hl=32, dl=2, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=215, cap_len=215, src=e8:de:27:ff:c0:78, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=201, id=0, DF=T, MF=F, offset=0, ttl=64, p=17, sum=30843, src=192.168.1.1, dst=255.255.255.255], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=40190/udp, dport=7437/udp, ulen=181], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=68, cap_len=68, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=54, id=52261, DF=T, MF=F, offset=0, ttl=64, p=6, sum=21721, src=192.168.1.103, dst=64.4.23.176], ip6=<uninitialized>, tcp=[sport=65493/tcp, dport=40031/tcp, seq=2642773190, ack=2891276360, hl=32, dl=2, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=38, proto=L3_UNKNOWN], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=32575, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=65170/udp, dport=53/udp, ulen=44], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=55466, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53129/udp, dport=53/udp, ulen=44], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=92, cap_len=92, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=78, id=32240, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53129/udp, dport=53/udp, ulen=58], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=85, cap_len=85, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=71, id=53895, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=57932/udp, dport=53/udp, ulen=51], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=32575, DF=F, MF=F, offset=0, ttl=64, p=17, sum=30645, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=65170/udp, dport=53/udp, ulen=44], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=55466, DF=F, MF=F, offset=0, ttl=64, p=17, sum=7754, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53129/udp, dport=53/udp, ulen=44], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=92, cap_len=92, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=78, id=32240, DF=F, MF=F, offset=0, ttl=64, p=17, sum=30966, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53129/udp, dport=53/udp, ulen=58], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=85, cap_len=85, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=71, id=53895, DF=F, MF=F, offset=0, ttl=64, p=17, sum=9318, src=192.168.1.103, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=57932/udp, dport=53/udp, ulen=51], icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=38, proto=L3_UNKNOWN], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=307, cap_len=307, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=293, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=273], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=316, cap_len=316, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=302, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=282], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=379, cap_len=379, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=365, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=345], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=371, cap_len=371, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=357, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=337], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=307, cap_len=307, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=293, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50212, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=273], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=316, cap_len=316, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=302, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50203, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=282], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=379, cap_len=379, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=365, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50140, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=345], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=371, cap_len=371, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=357, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50148, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=337], icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=38, proto=L3_UNKNOWN], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=355, cap_len=355, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=341, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=321], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=355, cap_len=355, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=341, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50164, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=321], icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=387, cap_len=387, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=373, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=353], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=316, cap_len=316, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=302, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=282], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=375, cap_len=375, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=361, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=341], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=369, cap_len=369, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=355, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=335], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=316, cap_len=316, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=302, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=282], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=371, cap_len=371, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=357, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=337], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=381, cap_len=381, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=367, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=347], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=215, cap_len=215, src=e8:de:27:ff:c0:78, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=201, id=0, ttl=64, p=17, src=192.168.1.1, dst=255.255.255.255], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=40190/udp, dport=7437/udp, ulen=181], icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=98, cap_len=98, src=00:50:56:3e:93:6b, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=84, id=29257, ttl=64, p=1, src=192.168.1.104, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
-[l2=[encap=LINK_ETHERNET, len=98, cap_len=98, src=e8:de:27:ff:c0:78, dst=00:50:56:3e:93:6b, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=84, id=3684, ttl=64, p=1, src=192.168.1.1, dst=192.168.1.104], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]]
-[l2=[encap=LINK_ETHERNET, len=112, cap_len=112, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=98, id=56893, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176031, ack=445274592, hl=32, dl=46, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=22643, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176077, ack=445274652, hl=32, dl=0, reserved=0, flags=16, win=4094], udp=<uninitialized>, icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=112, cap_len=112, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=98, id=85, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176077, ack=445274652, hl=32, dl=46, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=97, cap_len=97, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=83, id=28558, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176123, ack=445274652, hl=32, dl=31, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=36529, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176154, ack=445274652, hl=32, dl=0, reserved=0, flags=17, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=387, cap_len=387, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=373, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50132, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=353], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=316, cap_len=316, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=302, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50203, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=282], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=375, cap_len=375, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=361, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50144, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=341], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=369, cap_len=369, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=355, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50150, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=335], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=316, cap_len=316, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=302, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50203, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=282], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=371, cap_len=371, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=357, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50148, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=337], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=381, cap_len=381, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=367, id=0, DF=T, MF=F, offset=0, ttl=4, p=17, sum=50138, src=192.168.1.1, dst=239.255.255.250], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=45335/udp, dport=1900/udp, ulen=347], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=215, cap_len=215, src=e8:de:27:ff:c0:78, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=201, id=0, DF=T, MF=F, offset=0, ttl=64, p=17, sum=30843, src=192.168.1.1, dst=255.255.255.255], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=40190/udp, dport=7437/udp, ulen=181], icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=98, cap_len=98, src=00:50:56:3e:93:6b, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=84, id=29257, DF=T, MF=F, offset=0, ttl=64, p=1, sum=17574, src=192.168.1.104, dst=192.168.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
+[l2=[encap=LINK_ETHERNET, len=98, cap_len=98, src=e8:de:27:ff:c0:78, dst=00:50:56:3e:93:6b, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=84, id=3684, DF=F, MF=F, offset=0, ttl=64, p=1, sum=59531, src=192.168.1.1, dst=192.168.1.104], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]]
+[l2=[encap=LINK_ETHERNET, len=112, cap_len=112, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=98, id=56893, DF=T, MF=F, offset=0, ttl=64, p=6, sum=14914, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176031, ack=445274592, hl=32, dl=46, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=22643, DF=T, MF=F, offset=0, ttl=64, p=6, sum=49210, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176077, ack=445274652, hl=32, dl=0, reserved=0, flags=16, win=4094], udp=<uninitialized>, icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=112, cap_len=112, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=98, id=85, DF=T, MF=F, offset=0, ttl=64, p=6, sum=6187, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176077, ack=445274652, hl=32, dl=46, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=97, cap_len=97, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=83, id=28558, DF=T, MF=F, offset=0, ttl=64, p=6, sum=43264, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176123, ack=445274652, hl=32, dl=31, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
+[l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=36529, DF=T, MF=F, offset=0, ttl=64, p=6, sum=35324, src=192.168.1.103, dst=74.125.21.138], ip6=<uninitialized>, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176154, ack=445274652, hl=32, dl=0, reserved=0, flags=17, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=38, proto=L3_UNKNOWN], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:19:06:ea:b8:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:18:73:de:57:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:18:73:de:57:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:19:06:ea:b8:c1, dst=00:18:73:de:57:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=5, ttl=255, p=1, src=192.168.123.2, dst=192.168.123.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
+[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=5, DF=F, MF=F, offset=0, ttl=255, p=1, sum=17471, src=192.168.123.2, dst=192.168.123.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
 [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:19:06:ea:b8:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
 [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2054, proto=L3_ARP], ip=<uninitialized>, ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=<uninitialized>]
-[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=6, ttl=255, p=1, src=192.168.123.2, dst=192.168.123.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
-[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:19:06:ea:b8:c1, dst=00:18:73:de:57:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=6, ttl=255, p=1, src=192.168.123.1, dst=192.168.123.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]]
-[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=7, ttl=255, p=1, src=192.168.123.2, dst=192.168.123.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
-[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:19:06:ea:b8:c1, dst=00:18:73:de:57:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=7, ttl=255, p=1, src=192.168.123.1, dst=192.168.123.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]]
-[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=8, ttl=255, p=1, src=192.168.123.2, dst=192.168.123.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
-[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:19:06:ea:b8:c1, dst=00:18:73:de:57:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=8, ttl=255, p=1, src=192.168.123.1, dst=192.168.123.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]]
-[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=9, ttl=255, p=1, src=192.168.123.2, dst=192.168.123.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
-[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:19:06:ea:b8:c1, dst=00:18:73:de:57:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=9, ttl=255, p=1, src=192.168.123.1, dst=192.168.123.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]]
+[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=6, DF=F, MF=F, offset=0, ttl=255, p=1, sum=17470, src=192.168.123.2, dst=192.168.123.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
+[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:19:06:ea:b8:c1, dst=00:18:73:de:57:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=6, DF=F, MF=F, offset=0, ttl=255, p=1, sum=17470, src=192.168.123.1, dst=192.168.123.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]]
+[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=7, DF=F, MF=F, offset=0, ttl=255, p=1, sum=17469, src=192.168.123.2, dst=192.168.123.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
+[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:19:06:ea:b8:c1, dst=00:18:73:de:57:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=7, DF=F, MF=F, offset=0, ttl=255, p=1, sum=17469, src=192.168.123.1, dst=192.168.123.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]]
+[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=8, DF=F, MF=F, offset=0, ttl=255, p=1, sum=17468, src=192.168.123.2, dst=192.168.123.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
+[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:19:06:ea:b8:c1, dst=00:18:73:de:57:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=8, DF=F, MF=F, offset=0, ttl=255, p=1, sum=17468, src=192.168.123.1, dst=192.168.123.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]]
+[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:18:73:de:57:c1, dst=00:19:06:ea:b8:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=9, DF=F, MF=F, offset=0, ttl=255, p=1, sum=17467, src=192.168.123.2, dst=192.168.123.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]]
+[l2=[encap=LINK_ETHERNET, len=118, cap_len=118, src=00:19:06:ea:b8:c1, dst=00:18:73:de:57:c1, vlan=123, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=100, id=9, DF=F, MF=F, offset=0, ttl=255, p=1, sum=17467, src=192.168.123.1, dst=192.168.123.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]]
diff --git a/testing/btest/Baseline/core.reassembly/output b/testing/btest/Baseline/core.reassembly/output
index 8f50aa51f2..fde583b6a9 100644
--- a/testing/btest/Baseline/core.reassembly/output
+++ b/testing/btest/Baseline/core.reassembly/output
@@ -19,14 +19,14 @@ flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1
 flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1
 flow weird, fragment_inconsistency, 128.32.46.142, 10.0.0.1
 ----------------------
-net_weird, truncated_IPv6
-net_weird, truncated_IPv6
-net_weird, truncated_IPv6
-net_weird, truncated_IPv6
+net_weird, truncated_IP_len
+net_weird, truncated_IP_len
+net_weird, truncated_IP_len
+net_weird, truncated_IP_len
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliidlhd, A
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], dgphrodofqhq, orgmmpelofil, A
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], lenhfdqhqfgs, dfpqssidkpdg, A
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliislrr, A
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], iokgedlsdkjkiefgmeqkfjoh, ggdeolssksemrhedoledddml, A
-net_weird, truncated_IPv6
+net_weird, truncated_IP_len
 rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?>\x0d\x0a<g:searchrequest xmlns:g=, OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?igplqgeqsonkllfshdjplhjspmde, AP
diff --git a/testing/btest/Baseline/core.record-field-redef/output b/testing/btest/Baseline/core.record-field-redef/output
index da877cddd0..f35518cafa 100644
--- a/testing/btest/Baseline/core.record-field-redef/output
+++ b/testing/btest/Baseline/core.record-field-redef/output
@@ -1,10 +1,10 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 Info record_fields\x0a, {
-[extra1] = [type_name=string, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[extra2] = [type_name=string, log=F, value=<uninitialized>, default_val=<uninitialized>],
-[ts] = [type_name=time, log=T, value=<uninitialized>, default_val=<uninitialized>],
-[extra3] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>],
-[msg] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>],
-[extra4] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>]
+[extra1] = [type_name=string, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=T],
+[extra2] = [type_name=string, log=F, value=<uninitialized>, default_val=<uninitialized>, optional=T],
+[ts] = [type_name=time, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[extra3] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=T],
+[msg] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=F],
+[extra4] = [type_name=string, log=T, value=<uninitialized>, default_val=<uninitialized>, optional=T]
 }
 Info record, [ts=XXXXXXXXXX.XXXXXX, msg=msg, extra1=extra1 value, extra2=extra2 value, extra3=extra3 value, extra4=extra4 value]
diff --git a/testing/btest/Baseline/core.seed-errors/output b/testing/btest/Baseline/core.seed-errors/output
new file mode 100644
index 0000000000..6792ee320f
--- /dev/null
+++ b/testing/btest/Baseline/core.seed-errors/output
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+file does not exist
+warning: Could not open seed file './does/not-exist': No such file or directory
+fatal error: Could not load seeds from file './does/not-exist'.
+cannot use ZEEK_SEED_FILE and ZEEK_SEED
+fatal error: can't use ZEEK_SEED_VALUES together with ZEEK_SEED_FILE or -G
+cannot use -G and ZEEK_SEED
+fatal error: can't use ZEEK_SEED_VALUES together with ZEEK_SEED_FILE or -G
+wrong format (1)
+fatal error: Could not load seeds from string
+wrong format (2)
+fatal error: Could not load seeds from string
diff --git a/testing/btest/Baseline/core.seed/output b/testing/btest/Baseline/core.seed/output
new file mode 100644
index 0000000000..3c314654c4
--- /dev/null
+++ b/testing/btest/Baseline/core.seed/output
@@ -0,0 +1,17 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+test seed
+10307, CrFj3eGxkRR5
+10307, CrFj3eGxkRR5
+1 to 21
+3, CS6rj43joLxl
+3, CS6rj43joLxl
+21 x 0, deterministic
+3, CwwXWmUIYdSg
+3, CwwXWmUIYdSg
+different
+39, CBZDI3Gc0Cl7
+78, CU9o4PABWw9k
+117, CpaF4wTs0sq8
+writing seeds (twice)
+3, CdYMcd1tcP2
+3, CZKuY3Fww4V7
diff --git a/testing/btest/Baseline/core.seed/seeds.out b/testing/btest/Baseline/core.seed/seeds.out
new file mode 100644
index 0000000000..6eac81bd48
--- /dev/null
+++ b/testing/btest/Baseline/core.seed/seeds.out
@@ -0,0 +1,22 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+0
+1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+9
+8
+7
+6
+5
+4
+3
+2
+1
+0
diff --git a/testing/btest/Baseline/core.suspend_processing.event-from-zeek-init/output b/testing/btest/Baseline/core.suspend_processing.event-from-zeek-init/output
index 274823d7fd..d83996c314 100644
--- a/testing/btest/Baseline/core.suspend_processing.event-from-zeek-init/output
+++ b/testing/btest/Baseline/core.suspend_processing.event-from-zeek-init/output
@@ -3,14 +3,14 @@
 0.0, zeek_post
 0.0, one_line, first line
 1467818432.675392, network_time_init
-1467818432.675392, raw_packet, [hl=20, tos=0, len=78, id=55704, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818432.675732, raw_packet, [hl=20, tos=0, len=78, id=38782, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818432.676047, raw_packet, [hl=20, tos=0, len=134, id=55705, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818432.676385, raw_packet, [hl=20, tos=0, len=134, id=38783, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818433.677322, raw_packet, [hl=20, tos=0, len=134, id=55737, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818433.677452, raw_packet, [hl=20, tos=0, len=134, id=39026, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818434.678483, raw_packet, [hl=20, tos=0, len=134, id=55959, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818434.678691, raw_packet, [hl=20, tos=0, len=134, id=39224, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818435.680481, raw_packet, [hl=20, tos=0, len=134, id=56032, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818435.680663, raw_packet, [hl=20, tos=0, len=134, id=39359, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
+1467818432.675392, raw_packet, [hl=20, tos=0, len=78, id=55704, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28574, src=192.168.56.11, dst=192.168.56.12]
+1467818432.675732, raw_packet, [hl=20, tos=0, len=78, id=38782, DF=T, MF=F, offset=0, ttl=64, p=17, sum=45496, src=192.168.56.12, dst=192.168.56.11]
+1467818432.676047, raw_packet, [hl=20, tos=0, len=134, id=55705, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28517, src=192.168.56.11, dst=192.168.56.12]
+1467818432.676385, raw_packet, [hl=20, tos=0, len=134, id=38783, DF=T, MF=F, offset=0, ttl=64, p=17, sum=45439, src=192.168.56.12, dst=192.168.56.11]
+1467818433.677322, raw_packet, [hl=20, tos=0, len=134, id=55737, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28485, src=192.168.56.11, dst=192.168.56.12]
+1467818433.677452, raw_packet, [hl=20, tos=0, len=134, id=39026, DF=T, MF=F, offset=0, ttl=64, p=17, sum=45196, src=192.168.56.12, dst=192.168.56.11]
+1467818434.678483, raw_packet, [hl=20, tos=0, len=134, id=55959, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28263, src=192.168.56.11, dst=192.168.56.12]
+1467818434.678691, raw_packet, [hl=20, tos=0, len=134, id=39224, DF=T, MF=F, offset=0, ttl=64, p=17, sum=44998, src=192.168.56.12, dst=192.168.56.11]
+1467818435.680481, raw_packet, [hl=20, tos=0, len=134, id=56032, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28190, src=192.168.56.11, dst=192.168.56.12]
+1467818435.680663, raw_packet, [hl=20, tos=0, len=134, id=39359, DF=T, MF=F, offset=0, ttl=64, p=17, sum=44863, src=192.168.56.12, dst=192.168.56.11]
 1467818435.680663, zeek_done
diff --git a/testing/btest/Baseline/core.suspend_processing.event-order/output b/testing/btest/Baseline/core.suspend_processing.event-order/output
index fc0454e54a..89899f85b2 100644
--- a/testing/btest/Baseline/core.suspend_processing.event-order/output
+++ b/testing/btest/Baseline/core.suspend_processing.event-order/output
@@ -3,19 +3,19 @@
 0.0, one_line, first line
 1467818432.675392, network_time_init
 1467818432.675392, new_connection, CHhAvVGS1DHFjwGM9
-1467818432.675392, raw_packet, [hl=20, tos=0, len=78, id=55704, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
+1467818432.675392, raw_packet, [hl=20, tos=0, len=78, id=55704, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28574, src=192.168.56.11, dst=192.168.56.12]
 1467818432.675732, new_connection, ClEkJM2Vm5giqnMf4h
-1467818432.675732, raw_packet, [hl=20, tos=0, len=78, id=38782, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
+1467818432.675732, raw_packet, [hl=20, tos=0, len=78, id=38782, DF=T, MF=F, offset=0, ttl=64, p=17, sum=45496, src=192.168.56.12, dst=192.168.56.11]
 1467818432.676047, new_connection, C4J4Th3PJpwUYZZ6gc
 1467818432.676047, new_connection, CtPZjS20MLrsMUOJi2
-1467818432.676047, raw_packet, [hl=20, tos=0, len=134, id=55705, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
+1467818432.676047, raw_packet, [hl=20, tos=0, len=134, id=55705, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28517, src=192.168.56.11, dst=192.168.56.12]
 1467818432.676385, new_connection, CUM0KZ3MLUfNB0cl11
-1467818432.676385, raw_packet, [hl=20, tos=0, len=134, id=38783, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818433.677322, raw_packet, [hl=20, tos=0, len=134, id=55737, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818433.677452, raw_packet, [hl=20, tos=0, len=134, id=39026, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818434.678483, raw_packet, [hl=20, tos=0, len=134, id=55959, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818434.678691, raw_packet, [hl=20, tos=0, len=134, id=39224, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818435.680481, raw_packet, [hl=20, tos=0, len=134, id=56032, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818435.680663, raw_packet, [hl=20, tos=0, len=134, id=39359, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
+1467818432.676385, raw_packet, [hl=20, tos=0, len=134, id=38783, DF=T, MF=F, offset=0, ttl=64, p=17, sum=45439, src=192.168.56.12, dst=192.168.56.11]
+1467818433.677322, raw_packet, [hl=20, tos=0, len=134, id=55737, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28485, src=192.168.56.11, dst=192.168.56.12]
+1467818433.677452, raw_packet, [hl=20, tos=0, len=134, id=39026, DF=T, MF=F, offset=0, ttl=64, p=17, sum=45196, src=192.168.56.12, dst=192.168.56.11]
+1467818434.678483, raw_packet, [hl=20, tos=0, len=134, id=55959, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28263, src=192.168.56.11, dst=192.168.56.12]
+1467818434.678691, raw_packet, [hl=20, tos=0, len=134, id=39224, DF=T, MF=F, offset=0, ttl=64, p=17, sum=44998, src=192.168.56.12, dst=192.168.56.11]
+1467818435.680481, raw_packet, [hl=20, tos=0, len=134, id=56032, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28190, src=192.168.56.11, dst=192.168.56.12]
+1467818435.680663, raw_packet, [hl=20, tos=0, len=134, id=39359, DF=T, MF=F, offset=0, ttl=64, p=17, sum=44863, src=192.168.56.12, dst=192.168.56.11]
 1467818435.680663, Pcap::file_done, <...>/vxlan.pcap
 1467818435.680663, zeek_done
diff --git a/testing/btest/Baseline/core.suspend_processing.scheduled-event-from-zeek-init/output b/testing/btest/Baseline/core.suspend_processing.scheduled-event-from-zeek-init/output
index b13d7ce3a0..09cb79771f 100644
--- a/testing/btest/Baseline/core.suspend_processing.scheduled-event-from-zeek-init/output
+++ b/testing/btest/Baseline/core.suspend_processing.scheduled-event-from-zeek-init/output
@@ -4,14 +4,14 @@
 0.0, zeek_scheduled
 0.0, one_line, first line
 1467818432.675392, network_time_init
-1467818432.675392, raw_packet, [hl=20, tos=0, len=78, id=55704, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818432.675732, raw_packet, [hl=20, tos=0, len=78, id=38782, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818432.676047, raw_packet, [hl=20, tos=0, len=134, id=55705, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818432.676385, raw_packet, [hl=20, tos=0, len=134, id=38783, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818433.677322, raw_packet, [hl=20, tos=0, len=134, id=55737, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818433.677452, raw_packet, [hl=20, tos=0, len=134, id=39026, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818434.678483, raw_packet, [hl=20, tos=0, len=134, id=55959, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818434.678691, raw_packet, [hl=20, tos=0, len=134, id=39224, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
-1467818435.680481, raw_packet, [hl=20, tos=0, len=134, id=56032, ttl=64, p=17, src=192.168.56.11, dst=192.168.56.12]
-1467818435.680663, raw_packet, [hl=20, tos=0, len=134, id=39359, ttl=64, p=17, src=192.168.56.12, dst=192.168.56.11]
+1467818432.675392, raw_packet, [hl=20, tos=0, len=78, id=55704, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28574, src=192.168.56.11, dst=192.168.56.12]
+1467818432.675732, raw_packet, [hl=20, tos=0, len=78, id=38782, DF=T, MF=F, offset=0, ttl=64, p=17, sum=45496, src=192.168.56.12, dst=192.168.56.11]
+1467818432.676047, raw_packet, [hl=20, tos=0, len=134, id=55705, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28517, src=192.168.56.11, dst=192.168.56.12]
+1467818432.676385, raw_packet, [hl=20, tos=0, len=134, id=38783, DF=T, MF=F, offset=0, ttl=64, p=17, sum=45439, src=192.168.56.12, dst=192.168.56.11]
+1467818433.677322, raw_packet, [hl=20, tos=0, len=134, id=55737, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28485, src=192.168.56.11, dst=192.168.56.12]
+1467818433.677452, raw_packet, [hl=20, tos=0, len=134, id=39026, DF=T, MF=F, offset=0, ttl=64, p=17, sum=45196, src=192.168.56.12, dst=192.168.56.11]
+1467818434.678483, raw_packet, [hl=20, tos=0, len=134, id=55959, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28263, src=192.168.56.11, dst=192.168.56.12]
+1467818434.678691, raw_packet, [hl=20, tos=0, len=134, id=39224, DF=T, MF=F, offset=0, ttl=64, p=17, sum=44998, src=192.168.56.12, dst=192.168.56.11]
+1467818435.680481, raw_packet, [hl=20, tos=0, len=134, id=56032, DF=T, MF=F, offset=0, ttl=64, p=17, sum=28190, src=192.168.56.11, dst=192.168.56.12]
+1467818435.680663, raw_packet, [hl=20, tos=0, len=134, id=39359, DF=T, MF=F, offset=0, ttl=64, p=17, sum=44863, src=192.168.56.12, dst=192.168.56.11]
 1467818435.680663, zeek_done
diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output
index f66a32f806..d118b5b071 100644
--- a/testing/btest/Baseline/core.truncation/output
+++ b/testing/btest/Baseline/core.truncation/output
@@ -27,7 +27,7 @@ XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_IP	-	F	zeek	IP
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
 #types	time	string	addr	port	addr	port	string	string	bool	string	string
-XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_IPv6	-	F	zeek	IP
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_IP_len	-	F	zeek	IP
 #close XXXX-XX-XX-XX-XX-XX
 #separator \x09
 #set_separator	,
diff --git a/testing/btest/Baseline/core.tunnels.geneve-47101/conn.log b/testing/btest/Baseline/core.tunnels.geneve-47101/conn.log
new file mode 100644
index 0000000000..4f1b0c13ed
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.geneve-47101/conn.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	47101	127.0.0.1	6081	udp	geneve	1.025005	25684	0	S0	T	T	0	D	24	26356	0	0	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.0.107	45474	145.40.68.75	443	tcp	ssl	1.024744	781	23111	SF	T	F	0	ShADadFf	15	1569	9	23587	CHhAvVGS1DHFjwGM9
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log b/testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log
new file mode 100644
index 0000000000..06848a4135
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	47101	127.0.0.1	6081	Tunnel::GENEVE	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	47101	127.0.0.1	6081	Tunnel::GENEVE	Tunnel::CLOSE
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.geneve-many-options/out b/testing/btest/Baseline/core.tunnels.geneve-many-options/out
index fd669b881a..32a2828c43 100644
--- a/testing/btest/Baseline/core.tunnels.geneve-many-options/out
+++ b/testing/btest/Baseline/core.tunnels.geneve-many-options/out
@@ -1,11 +1,11 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=60, id=25311, ttl=64, p=6, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085449, ack=0, hl=40, dl=0, reserved=0, flags=2, win=64860], udp=<uninitialized>, icmp=<uninitialized>], 786734
-geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=60, id=0, ttl=41, p=6, src=95.217.228.176, dst=10.0.0.226], ip6=<uninitialized>, tcp=[sport=80/tcp, dport=39088/tcp, seq=3621024923, ack=2448085450, hl=40, dl=0, reserved=0, flags=18, win=65160], udp=<uninitialized>, icmp=<uninitialized>], 786734
-geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=25312, ttl=64, p=6, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085450, ack=3621024924, hl=32, dl=0, reserved=0, flags=16, win=507], udp=<uninitialized>, icmp=<uninitialized>], 786734
-geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=133, id=25313, ttl=64, p=6, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085450, ack=3621024924, hl=32, dl=81, reserved=0, flags=24, win=507], udp=<uninitialized>, icmp=<uninitialized>], 786734
-geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=56345, ttl=41, p=6, src=95.217.228.176, dst=10.0.0.226], ip6=<uninitialized>, tcp=[sport=80/tcp, dport=39088/tcp, seq=3621024924, ack=2448085531, hl=32, dl=0, reserved=0, flags=16, win=509], udp=<uninitialized>, icmp=<uninitialized>], 786734
-geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=629, id=56346, ttl=41, p=6, src=95.217.228.176, dst=10.0.0.226], ip6=<uninitialized>, tcp=[sport=80/tcp, dport=39088/tcp, seq=3621024924, ack=2448085531, hl=32, dl=577, reserved=0, flags=24, win=509], udp=<uninitialized>, icmp=<uninitialized>], 786734
-geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=25314, ttl=64, p=6, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085531, ack=3621025501, hl=32, dl=0, reserved=0, flags=16, win=503], udp=<uninitialized>, icmp=<uninitialized>], 786734
-geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=25315, ttl=64, p=6, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085531, ack=3621025501, hl=32, dl=0, reserved=0, flags=17, win=503], udp=<uninitialized>, icmp=<uninitialized>], 786734
-geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=56347, ttl=41, p=6, src=95.217.228.176, dst=10.0.0.226], ip6=<uninitialized>, tcp=[sport=80/tcp, dport=39088/tcp, seq=3621025501, ack=2448085532, hl=32, dl=0, reserved=0, flags=17, win=509], udp=<uninitialized>, icmp=<uninitialized>], 786734
-geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=25316, ttl=64, p=6, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085532, ack=3621025502, hl=32, dl=0, reserved=0, flags=16, win=503], udp=<uninitialized>, icmp=<uninitialized>], 786734
+geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=60, id=25311, DF=T, MF=F, offset=0, ttl=64, p=6, sum=34929, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085449, ack=0, hl=40, dl=0, reserved=0, flags=2, win=64860], udp=<uninitialized>, icmp=<uninitialized>], 786734
+geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=60, id=0, DF=T, MF=F, offset=0, ttl=41, p=6, sum=593, src=95.217.228.176, dst=10.0.0.226], ip6=<uninitialized>, tcp=[sport=80/tcp, dport=39088/tcp, seq=3621024923, ack=2448085450, hl=40, dl=0, reserved=0, flags=18, win=65160], udp=<uninitialized>, icmp=<uninitialized>], 786734
+geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=25312, DF=T, MF=F, offset=0, ttl=64, p=6, sum=34936, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085450, ack=3621024924, hl=32, dl=0, reserved=0, flags=16, win=507], udp=<uninitialized>, icmp=<uninitialized>], 786734
+geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=133, id=25313, DF=T, MF=F, offset=0, ttl=64, p=6, sum=34854, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085450, ack=3621024924, hl=32, dl=81, reserved=0, flags=24, win=507], udp=<uninitialized>, icmp=<uninitialized>], 786734
+geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=56345, DF=T, MF=F, offset=0, ttl=41, p=6, sum=9791, src=95.217.228.176, dst=10.0.0.226], ip6=<uninitialized>, tcp=[sport=80/tcp, dport=39088/tcp, seq=3621024924, ack=2448085531, hl=32, dl=0, reserved=0, flags=16, win=509], udp=<uninitialized>, icmp=<uninitialized>], 786734
+geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=629, id=56346, DF=T, MF=F, offset=0, ttl=41, p=6, sum=9213, src=95.217.228.176, dst=10.0.0.226], ip6=<uninitialized>, tcp=[sport=80/tcp, dport=39088/tcp, seq=3621024924, ack=2448085531, hl=32, dl=577, reserved=0, flags=24, win=509], udp=<uninitialized>, icmp=<uninitialized>], 786734
+geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=25314, DF=T, MF=F, offset=0, ttl=64, p=6, sum=34934, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085531, ack=3621025501, hl=32, dl=0, reserved=0, flags=16, win=503], udp=<uninitialized>, icmp=<uninitialized>], 786734
+geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=25315, DF=T, MF=F, offset=0, ttl=64, p=6, sum=34933, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085531, ack=3621025501, hl=32, dl=0, reserved=0, flags=17, win=503], udp=<uninitialized>, icmp=<uninitialized>], 786734
+geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=56347, DF=T, MF=F, offset=0, ttl=41, p=6, sum=9789, src=95.217.228.176, dst=10.0.0.226], ip6=<uninitialized>, tcp=[sport=80/tcp, dport=39088/tcp, seq=3621025501, ack=2448085532, hl=32, dl=0, reserved=0, flags=17, win=509], udp=<uninitialized>, icmp=<uninitialized>], 786734
+geneve_packet, [orig_h=192.168.33.179, orig_p=6667/udp, resp_h=192.168.179.33, resp_p=6081/udp], [ip=[hl=20, tos=0, len=52, id=25316, DF=T, MF=F, offset=0, ttl=64, p=6, sum=34932, src=10.0.0.226, dst=95.217.228.176], ip6=<uninitialized>, tcp=[sport=39088/tcp, dport=80/tcp, seq=2448085532, ack=3621025502, hl=32, dl=0, reserved=0, flags=16, win=503], udp=<uninitialized>, icmp=<uninitialized>], 786734
diff --git a/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log
new file mode 100644
index 0000000000..da327070c6
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.16.11.201	36872	1.1.1.1	53	udp	dns	2.000009	54	74	SF	T	F	0	Dd	1	82	1	102	ClEkJM2Vm5giqnMf4h
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	11803	127.0.0.1	6081	udp	geneve	2.000009	300	0	S0	T	T	0	D	2	356	0	0	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	26383	127.0.0.1	4789	udp	vxlan	2.000009	228	0	S0	T	T	0	D	2	284	0	0	CHhAvVGS1DHFjwGM9
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log
new file mode 100644
index 0000000000..58cb917657
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log
@@ -0,0 +1,14 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	11803	127.0.0.1	6081	Tunnel::GENEVE	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	26383	127.0.0.1	4789	Tunnel::VXLAN	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	11803	127.0.0.1	6081	Tunnel::GENEVE	Tunnel::CLOSE
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	26383	127.0.0.1	4789	Tunnel::VXLAN	Tunnel::CLOSE
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.geneve/out b/testing/btest/Baseline/core.tunnels.geneve/out
index 05bb572661..f803ed9e28 100644
--- a/testing/btest/Baseline/core.tunnels.geneve/out
+++ b/testing/btest/Baseline/core.tunnels.geneve/out
@@ -1,7 +1,7 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-geneve_packet, [orig_h=20.0.0.1, orig_p=50901/udp, resp_h=20.0.0.2, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=0, ttl=64, p=1, src=30.0.0.1, dst=30.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 0
-geneve_packet, [orig_h=20.0.0.2, orig_p=0/udp, resp_h=20.0.0.1, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=4503, ttl=64, p=1, src=30.0.0.2, dst=30.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 0
-geneve_packet, [orig_h=20.0.0.1, orig_p=50901/udp, resp_h=20.0.0.2, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=0, ttl=64, p=1, src=30.0.0.1, dst=30.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 0
-geneve_packet, [orig_h=20.0.0.2, orig_p=0/udp, resp_h=20.0.0.1, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=4504, ttl=64, p=1, src=30.0.0.2, dst=30.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 0
-geneve_packet, [orig_h=20.0.0.1, orig_p=50901/udp, resp_h=20.0.0.2, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=0, ttl=64, p=1, src=30.0.0.1, dst=30.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 0
-geneve_packet, [orig_h=20.0.0.2, orig_p=0/udp, resp_h=20.0.0.1, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=4505, ttl=64, p=1, src=30.0.0.2, dst=30.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 0
+geneve_packet, [orig_h=20.0.0.1, orig_p=50901/udp, resp_h=20.0.0.2, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=0, DF=T, MF=F, offset=0, ttl=64, p=1, sum=65190, src=30.0.0.1, dst=30.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 0
+geneve_packet, [orig_h=20.0.0.2, orig_p=0/udp, resp_h=20.0.0.1, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=4503, DF=F, MF=F, offset=0, ttl=64, p=1, sum=11536, src=30.0.0.2, dst=30.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 0
+geneve_packet, [orig_h=20.0.0.1, orig_p=50901/udp, resp_h=20.0.0.2, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=0, DF=T, MF=F, offset=0, ttl=64, p=1, sum=65190, src=30.0.0.1, dst=30.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 0
+geneve_packet, [orig_h=20.0.0.2, orig_p=0/udp, resp_h=20.0.0.1, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=4504, DF=F, MF=F, offset=0, ttl=64, p=1, sum=11535, src=30.0.0.2, dst=30.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 0
+geneve_packet, [orig_h=20.0.0.1, orig_p=50901/udp, resp_h=20.0.0.2, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=0, DF=T, MF=F, offset=0, ttl=64, p=1, sum=65190, src=30.0.0.1, dst=30.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 0
+geneve_packet, [orig_h=20.0.0.2, orig_p=0/udp, resp_h=20.0.0.1, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=4505, DF=F, MF=F, offset=0, ttl=64, p=1, sum=11534, src=30.0.0.2, dst=30.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 0
diff --git a/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log b/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log
new file mode 100644
index 0000000000..66e2c52380
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	157.240.18.16	443	149.159.130.184	49392	tcp	-	-	-	-	OTH	F	F	0	D	2	356	0	0	CHhAvVGS1DHFjwGM9
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/tunnel.log
new file mode 100644
index 0000000000..a1529d17cf
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/tunnel.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.226.22.9	0	10.102.16.187	0	Tunnel::GRE	Tunnel::DISCOVER
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.vxlan/out b/testing/btest/Baseline/core.tunnels.vxlan/out
index eff8b721fa..2b7535538a 100644
--- a/testing/btest/Baseline/core.tunnels.vxlan/out
+++ b/testing/btest/Baseline/core.tunnels.vxlan/out
@@ -1,9 +1,9 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12111, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
-vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=36913, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
-vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12341, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
-vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37030, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
-vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12507, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
-vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37208, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
-vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12684, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
-vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37295, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12111, DF=T, MF=F, offset=0, ttl=64, p=1, sum=63319, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=36913, DF=F, MF=F, offset=0, ttl=64, p=1, sum=54901, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12341, DF=T, MF=F, offset=0, ttl=64, p=1, sum=63089, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37030, DF=F, MF=F, offset=0, ttl=64, p=1, sum=54784, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12507, DF=T, MF=F, offset=0, ttl=64, p=1, sum=62923, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37208, DF=F, MF=F, offset=0, ttl=64, p=1, sum=54606, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
+vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12684, DF=T, MF=F, offset=0, ttl=64, p=1, sum=62746, src=10.0.0.1, dst=10.0.0.2], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=8]], 123
+vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37295, DF=F, MF=F, offset=0, ttl=64, p=1, sum=54519, src=10.0.0.2, dst=10.0.0.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=0]], 123
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index e1d05d14f1..5540e6d45b 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -69,6 +69,12 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/tcp/main.zeek
     scripts/base/packet-protocols/icmp/__load__.zeek
       scripts/base/packet-protocols/icmp/main.zeek
+    scripts/base/packet-protocols/llc/__load__.zeek
+      scripts/base/packet-protocols/llc/main.zeek
+    scripts/base/packet-protocols/novell_802_3/__load__.zeek
+      scripts/base/packet-protocols/novell_802_3/main.zeek
+    scripts/base/packet-protocols/snap/__load__.zeek
+      scripts/base/packet-protocols/snap/main.zeek
     scripts/base/packet-protocols/gre/__load__.zeek
       scripts/base/packet-protocols/gre/main.zeek
     scripts/base/packet-protocols/iptunnel/__load__.zeek
@@ -85,8 +91,8 @@ scripts/base/init-bare.zeek
     scripts/base/packet-protocols/gtpv1/__load__.zeek
       scripts/base/packet-protocols/gtpv1/main.zeek
         build/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek
+  scripts/base/frameworks/spicy/init-bare.zeek
 build/scripts/builtin-plugins/__preload__.zeek
-  build/scripts/builtin-plugins/Zeek_Spicy/__preload__.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -142,6 +148,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/bloom-filter.bif.zeek
     build/scripts/base/bif/cardinality-counter.bif.zeek
     build/scripts/base/bif/top-k.bif.zeek
+    build/scripts/base/bif/spicy.bif.zeek
   build/scripts/base/bif/plugins/__load__.zeek
     build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek
@@ -258,16 +265,12 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek
     build/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Spicy.consts.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Spicy.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Spicy.functions.bif.zeek
+  scripts/base/frameworks/spicy/init-framework.zeek
+    scripts/base/misc/version.zeek
+      scripts/base/frameworks/reporter/__load__.zeek
+        scripts/base/frameworks/reporter/main.zeek
+      scripts/base/utils/strings.zeek
 build/scripts/builtin-plugins/__load__.zeek
-  build/scripts/builtin-plugins/Zeek_Spicy/__load__.zeek
-    build/scripts/builtin-plugins/Zeek_Spicy/Zeek/Spicy/bare.zeek
-      scripts/base/misc/version.zeek
-        scripts/base/frameworks/reporter/__load__.zeek
-          scripts/base/frameworks/reporter/main.zeek
-        scripts/base/utils/strings.zeek
 scripts/policy/misc/loaded-scripts.zeek
   scripts/base/utils/paths.zeek
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index f9c627c29c..2c597084a7 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -69,6 +69,12 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/tcp/main.zeek
     scripts/base/packet-protocols/icmp/__load__.zeek
       scripts/base/packet-protocols/icmp/main.zeek
+    scripts/base/packet-protocols/llc/__load__.zeek
+      scripts/base/packet-protocols/llc/main.zeek
+    scripts/base/packet-protocols/novell_802_3/__load__.zeek
+      scripts/base/packet-protocols/novell_802_3/main.zeek
+    scripts/base/packet-protocols/snap/__load__.zeek
+      scripts/base/packet-protocols/snap/main.zeek
     scripts/base/packet-protocols/gre/__load__.zeek
       scripts/base/packet-protocols/gre/main.zeek
     scripts/base/packet-protocols/iptunnel/__load__.zeek
@@ -85,8 +91,8 @@ scripts/base/init-bare.zeek
     scripts/base/packet-protocols/gtpv1/__load__.zeek
       scripts/base/packet-protocols/gtpv1/main.zeek
         build/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek
+  scripts/base/frameworks/spicy/init-bare.zeek
 build/scripts/builtin-plugins/__preload__.zeek
-  build/scripts/builtin-plugins/Zeek_Spicy/__preload__.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -142,6 +148,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/bloom-filter.bif.zeek
     build/scripts/base/bif/cardinality-counter.bif.zeek
     build/scripts/base/bif/top-k.bif.zeek
+    build/scripts/base/bif/spicy.bif.zeek
   build/scripts/base/bif/plugins/__load__.zeek
     build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek
@@ -258,9 +265,11 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek
     build/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Spicy.consts.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Spicy.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Spicy.functions.bif.zeek
+  scripts/base/frameworks/spicy/init-framework.zeek
+    scripts/base/misc/version.zeek
+      scripts/base/frameworks/reporter/__load__.zeek
+        scripts/base/frameworks/reporter/main.zeek
+      scripts/base/utils/strings.zeek
 scripts/base/init-default.zeek
   scripts/base/utils/active-http.zeek
     scripts/base/utils/exec.zeek
@@ -268,8 +277,6 @@ scripts/base/init-default.zeek
   scripts/base/utils/backtrace.zeek
   scripts/base/utils/conn-ids.zeek
   scripts/base/utils/dir.zeek
-    scripts/base/frameworks/reporter/__load__.zeek
-      scripts/base/frameworks/reporter/main.zeek
     scripts/base/utils/paths.zeek
   scripts/base/utils/directions-and-hosts.zeek
   scripts/base/utils/email.zeek
@@ -277,7 +284,6 @@ scripts/base/init-default.zeek
   scripts/base/utils/geoip-distance.zeek
   scripts/base/utils/numbers.zeek
   scripts/base/utils/queue.zeek
-  scripts/base/utils/strings.zeek
   scripts/base/utils/thresholds.zeek
   scripts/base/utils/time.zeek
   scripts/base/utils/urls.zeek
@@ -341,7 +347,8 @@ scripts/base/init-default.zeek
     scripts/base/frameworks/netcontrol/non-cluster.zeek
   scripts/base/frameworks/telemetry/__load__.zeek
     scripts/base/frameworks/telemetry/main.zeek
-      scripts/base/misc/version.zeek
+  scripts/base/frameworks/spicy/__load__.zeek
+    scripts/base/frameworks/spicy/main.zeek
   scripts/base/protocols/conn/__load__.zeek
     scripts/base/protocols/conn/main.zeek
     scripts/base/protocols/conn/contents.zeek
@@ -457,8 +464,5 @@ scripts/base/init-default.zeek
   scripts/base/misc/find-filtered-trace.zeek
   build/scripts/base/misc/installation.zeek
 build/scripts/builtin-plugins/__load__.zeek
-  build/scripts/builtin-plugins/Zeek_Spicy/__load__.zeek
-    build/scripts/builtin-plugins/Zeek_Spicy/Zeek/Spicy/bare.zeek
-    build/scripts/builtin-plugins/Zeek_Spicy/Zeek/Spicy/default.zeek
 scripts/policy/misc/loaded-scripts.zeek
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/coverage.test-all-policy-cluster/.stderr b/testing/btest/Baseline/coverage.test-all-policy-cluster/.stderr
new file mode 100644
index 0000000000..bff9a64e41
--- /dev/null
+++ b/testing/btest/Baseline/coverage.test-all-policy-cluster/.stderr
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+received termination signal
+received termination signal
+received termination signal
+received termination signal
diff --git a/testing/btest/Baseline/coverage.zeek-profiler-file/step1.out b/testing/btest/Baseline/coverage.zeek-profiler-file/step1.out
index dc795e2403..e9b69cafea 100644
--- a/testing/btest/Baseline/coverage.zeek-profiler-file/step1.out
+++ b/testing/btest/Baseline/coverage.zeek-profiler-file/step1.out
@@ -1,2 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 1	./profiling-test1.zeek, line 2	print new conn;
+1	./profiling-test1.zeek, lines 1-2	event new_connection BODY
diff --git a/testing/btest/Baseline/coverage.zeek-profiler-file/step2.out b/testing/btest/Baseline/coverage.zeek-profiler-file/step2.out
index 4247325597..62505a3666 100644
--- a/testing/btest/Baseline/coverage.zeek-profiler-file/step2.out
+++ b/testing/btest/Baseline/coverage.zeek-profiler-file/step2.out
@@ -1,2 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 2	./profiling-test1.zeek, line 2	print new conn;
+2	./profiling-test1.zeek, lines 1-2	event new_connection BODY
diff --git a/testing/btest/Baseline/coverage.zeek-profiler-file/step3.out b/testing/btest/Baseline/coverage.zeek-profiler-file/step3.out
index 5fa4d0b749..7e37b66ce2 100644
--- a/testing/btest/Baseline/coverage.zeek-profiler-file/step3.out
+++ b/testing/btest/Baseline/coverage.zeek-profiler-file/step3.out
@@ -1,3 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 2	./profiling-test1.zeek, line 2	print new conn;
+2	./profiling-test1.zeek, lines 1-2	event new_connection BODY
 1	./profiling-test2.zeek, line 2	print new conn;
+1	./profiling-test2.zeek, lines 1-2	event new_connection BODY
diff --git a/testing/btest/Baseline/doc.zeekygen.example/example.rst b/testing/btest/Baseline/doc.zeekygen.example/example.rst
index 12e2f23aa6..aa2b0d3601 100644
--- a/testing/btest/Baseline/doc.zeekygen.example/example.rst
+++ b/testing/btest/Baseline/doc.zeekygen.example/example.rst
@@ -260,7 +260,7 @@ Events
    link.  Use the see role instead: :zeek:see:`ZeekygenExample::a_function`.
    
 
-   :name: Describe the argument here.
+   :param name: Describe the argument here.
 
 Functions
 #########
@@ -275,11 +275,11 @@ Functions
    empty comments is optional, but improves readability of script.
    
 
-   :tag: Function arguments can be described
+   :param tag: Function arguments can be described
         like this.
    
 
-   :msg: Another param.
+   :param msg: Another param.
    
 
    :returns: Describe the return type here.
diff --git a/testing/btest/Baseline/doc.zeekygen.func-params/autogen-reST-func-params.rst b/testing/btest/Baseline/doc.zeekygen.func-params/autogen-reST-func-params.rst
index 598c449a66..4cc37b9d7c 100644
--- a/testing/btest/Baseline/doc.zeekygen.func-params/autogen-reST-func-params.rst
+++ b/testing/btest/Baseline/doc.zeekygen.func-params/autogen-reST-func-params.rst
@@ -7,9 +7,9 @@
    This is a global function declaration.
    
 
-   :i: First param.
+   :param i: First param.
 
-   :j: Second param.
+   :param j: Second param.
    
 
    :returns: A string.
@@ -23,9 +23,9 @@
          This is a record field function.
          
 
-         :i: First param.
+         :param i: First param.
 
-         :j: Second param.
+         :param j: Second param.
          
 
          :returns: A string.
diff --git a/testing/btest/Baseline/doc.zeekygen.identifier/test.rst b/testing/btest/Baseline/doc.zeekygen.identifier/test.rst
index a63a5439b7..219c92da8b 100644
--- a/testing/btest/Baseline/doc.zeekygen.identifier/test.rst
+++ b/testing/btest/Baseline/doc.zeekygen.identifier/test.rst
@@ -212,11 +212,11 @@
    empty comments is optional, but improves readability of script.
    
 
-   :tag: Function arguments can be described
+   :param tag: Function arguments can be described
         like this.
    
 
-   :msg: Another param.
+   :param msg: Another param.
    
 
    :returns: Describe the return type here.
@@ -234,7 +234,7 @@
    link.  Use the see role instead: :zeek:see:`ZeekygenExample::a_function`.
    
 
-   :name: Describe the argument here.
+   :param name: Describe the argument here.
 
 .. zeek:id:: ZeekygenExample::function_without_proto
    :source-code: zeekygen/example.zeek 176 184
diff --git a/testing/btest/Baseline/language.bro_init/out b/testing/btest/Baseline/language.bro_init/out
deleted file mode 100644
index 0b182fe89e..0000000000
--- a/testing/btest/Baseline/language.bro_init/out
+++ /dev/null
@@ -1,3 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/bro_init.zeek, line 5: event bro_init() is no longer available, use zeek_init() instead
-error in <...>/bro_init.zeek, line 10: event bro_done() is no longer available, use zeek_done() instead
diff --git a/testing/btest/Baseline/language.bro_script_loaded/out b/testing/btest/Baseline/language.bro_script_loaded/out
deleted file mode 100644
index 5fb003b55b..0000000000
--- a/testing/btest/Baseline/language.bro_script_loaded/out
+++ /dev/null
@@ -1,2 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/bro_script_loaded.zeek, line 5: event bro_script_loaded() is no longer available, use zeek_script_loaded() instead
diff --git a/testing/btest/Baseline/language.event-ts-scheduled/out b/testing/btest/Baseline/language.event-ts-scheduled/out
new file mode 100644
index 0000000000..6890f28697
--- /dev/null
+++ b/testing/btest/Baseline/language.event-ts-scheduled/out
@@ -0,0 +1,41 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+>> Run 0 (1989-12-12-22:00:00)
+<< Run 0 (1989-12-12-22:00:00)
+[1989-12-12-23:00:00] Test was scheduled at 1989-12-12-22:00:00 for 1989-12-12-22:15:00
+[1989-12-12-23:00:00] Test was scheduled at 1989-12-12-22:00:00 for 1989-12-12-22:30:00
+>> Run 1 (1989-12-12-23:00:00)
+<< Run 1 (1989-12-12-23:00:00)
+[1989-12-13-00:00:00] Test was scheduled at 1989-12-12-23:00:00 for 1989-12-12-23:15:00
+[1989-12-13-00:00:00] Test was scheduled at 1989-12-12-23:00:00 for 1989-12-12-23:30:00
+>> Run 2 (1989-12-13-00:00:00)
+<< Run 2 (1989-12-13-00:00:00)
+[1989-12-13-01:00:00] Test was scheduled at 1989-12-13-00:00:00 for 1989-12-13-00:15:00
+[1989-12-13-01:00:00] Test was scheduled at 1989-12-13-00:00:00 for 1989-12-13-00:30:00
+>> Run 3 (1989-12-13-01:00:00)
+<< Run 3 (1989-12-13-01:00:00)
+[1989-12-13-02:00:00] Test was scheduled at 1989-12-13-01:00:00 for 1989-12-13-01:15:00
+[1989-12-13-02:00:00] Test was scheduled at 1989-12-13-01:00:00 for 1989-12-13-01:30:00
+>> Run 4 (1989-12-13-02:00:00)
+<< Run 4 (1989-12-13-02:00:00)
+[1989-12-13-03:00:00] Test was scheduled at 1989-12-13-02:00:00 for 1989-12-13-02:15:00
+[1989-12-13-03:00:00] Test was scheduled at 1989-12-13-02:00:00 for 1989-12-13-02:30:00
+>> Run 5 (1989-12-13-03:00:00)
+<< Run 5 (1989-12-13-03:00:00)
+[1989-12-13-04:00:00] Test was scheduled at 1989-12-13-03:00:00 for 1989-12-13-03:15:00
+[1989-12-13-04:00:00] Test was scheduled at 1989-12-13-03:00:00 for 1989-12-13-03:30:00
+>> Run 6 (1989-12-13-04:00:00)
+<< Run 6 (1989-12-13-04:00:00)
+[1989-12-13-05:00:00] Test was scheduled at 1989-12-13-04:00:00 for 1989-12-13-04:15:00
+[1989-12-13-05:00:00] Test was scheduled at 1989-12-13-04:00:00 for 1989-12-13-04:30:00
+>> Run 7 (1989-12-13-05:00:00)
+<< Run 7 (1989-12-13-05:00:00)
+[1989-12-13-06:00:00] Test was scheduled at 1989-12-13-05:00:00 for 1989-12-13-05:15:00
+[1989-12-13-06:00:00] Test was scheduled at 1989-12-13-05:00:00 for 1989-12-13-05:30:00
+>> Run 8 (1989-12-13-06:00:00)
+<< Run 8 (1989-12-13-06:00:00)
+[1989-12-13-07:00:00] Test was scheduled at 1989-12-13-06:00:00 for 1989-12-13-06:15:00
+[1989-12-13-07:00:00] Test was scheduled at 1989-12-13-06:00:00 for 1989-12-13-06:30:00
+>> Run 9 (1989-12-13-07:00:00)
+<< Run 9 (1989-12-13-07:00:00)
+[1989-12-13-07:00:00] Test was scheduled at 1989-12-13-07:00:00 for 1989-12-13-07:15:00
+[1989-12-13-07:00:00] Test was scheduled at 1989-12-13-07:00:00 for 1989-12-13-07:30:00
diff --git a/testing/btest/Baseline/language.event-ts/out b/testing/btest/Baseline/language.event-ts/out
new file mode 100644
index 0000000000..7ced6e45a0
--- /dev/null
+++ b/testing/btest/Baseline/language.event-ts/out
@@ -0,0 +1,51 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+>> Run 0 (1989-12-12-22:00:00):
+[1989-12-12-22:00:00] Test 4 was scheduled at 1989-12-12-22:00:00
+[1989-12-12-22:00:00] Test 3 was scheduled at 1989-12-12-22:00:00
+[1989-12-12-22:00:00] Test 2 was scheduled at 1989-12-12-22:00:00
+[1989-12-12-22:00:01] Test 1 was scheduled at 1989-12-12-22:00:00
+>> Run 1 (1989-12-12-22:00:01):
+[1989-12-12-22:00:01] Test 4 was scheduled at 1989-12-12-22:00:01
+[1989-12-12-22:00:01] Test 3 was scheduled at 1989-12-12-22:00:01
+[1989-12-12-22:00:01] Test 2 was scheduled at 1989-12-12-22:00:01
+[1989-12-12-22:00:02] Test 1 was scheduled at 1989-12-12-22:00:01
+>> Run 2 (1989-12-12-22:00:02):
+[1989-12-12-22:00:02] Test 4 was scheduled at 1989-12-12-22:00:02
+[1989-12-12-22:00:02] Test 3 was scheduled at 1989-12-12-22:00:02
+[1989-12-12-22:00:02] Test 2 was scheduled at 1989-12-12-22:00:02
+[1989-12-12-22:00:03] Test 1 was scheduled at 1989-12-12-22:00:02
+>> Run 3 (1989-12-12-22:00:03):
+[1989-12-12-22:00:03] Test 4 was scheduled at 1989-12-12-22:00:03
+[1989-12-12-22:00:03] Test 3 was scheduled at 1989-12-12-22:00:03
+[1989-12-12-22:00:03] Test 2 was scheduled at 1989-12-12-22:00:03
+[1989-12-12-22:00:04] Test 1 was scheduled at 1989-12-12-22:00:03
+>> Run 4 (1989-12-12-22:00:04):
+[1989-12-12-22:00:04] Test 4 was scheduled at 1989-12-12-22:00:04
+[1989-12-12-22:00:04] Test 3 was scheduled at 1989-12-12-22:00:04
+[1989-12-12-22:00:04] Test 2 was scheduled at 1989-12-12-22:00:04
+[1989-12-12-22:00:05] Test 1 was scheduled at 1989-12-12-22:00:04
+>> Run 5 (1989-12-12-22:00:05):
+[1989-12-12-22:00:05] Test 4 was scheduled at 1989-12-12-22:00:05
+[1989-12-12-22:00:05] Test 3 was scheduled at 1989-12-12-22:00:05
+[1989-12-12-22:00:05] Test 2 was scheduled at 1989-12-12-22:00:05
+[1989-12-12-22:00:06] Test 1 was scheduled at 1989-12-12-22:00:05
+>> Run 6 (1989-12-12-22:00:06):
+[1989-12-12-22:00:06] Test 4 was scheduled at 1989-12-12-22:00:06
+[1989-12-12-22:00:06] Test 3 was scheduled at 1989-12-12-22:00:06
+[1989-12-12-22:00:06] Test 2 was scheduled at 1989-12-12-22:00:06
+[1989-12-12-22:00:07] Test 1 was scheduled at 1989-12-12-22:00:06
+>> Run 7 (1989-12-12-22:00:07):
+[1989-12-12-22:00:07] Test 4 was scheduled at 1989-12-12-22:00:07
+[1989-12-12-22:00:07] Test 3 was scheduled at 1989-12-12-22:00:07
+[1989-12-12-22:00:07] Test 2 was scheduled at 1989-12-12-22:00:07
+[1989-12-12-22:00:08] Test 1 was scheduled at 1989-12-12-22:00:07
+>> Run 8 (1989-12-12-22:00:08):
+[1989-12-12-22:00:08] Test 4 was scheduled at 1989-12-12-22:00:08
+[1989-12-12-22:00:08] Test 3 was scheduled at 1989-12-12-22:00:08
+[1989-12-12-22:00:08] Test 2 was scheduled at 1989-12-12-22:00:08
+[1989-12-12-22:00:09] Test 1 was scheduled at 1989-12-12-22:00:08
+>> Run 9 (1989-12-12-22:00:09):
+[1989-12-12-22:00:09] Test 4 was scheduled at 1989-12-12-22:00:09
+[1989-12-12-22:00:09] Test 3 was scheduled at 1989-12-12-22:00:09
+[1989-12-12-22:00:09] Test 2 was scheduled at 1989-12-12-22:00:09
+[1989-12-12-22:00:09] Test 1 was scheduled at 1989-12-12-22:00:09
diff --git a/testing/btest/Baseline/language.smith-waterman-test/output b/testing/btest/Baseline/language.smith-waterman-test/output
index e40358600e..63ece69aeb 100644
--- a/testing/btest/Baseline/language.smith-waterman-test/output
+++ b/testing/btest/Baseline/language.smith-waterman-test/output
@@ -29,5 +29,5 @@ tok 0: Accept (27/0, T)
 tok 1: e^M^JAccept (22/15, T)
 tok 2: Accept (27/29, T)
 xxAAxxAAxx - yyyyyAAyyyyy:
-tok 0: AA (2/5, T)
-tok 1: AA (6/5, T)
+tok 0: AA (6/5, T)
+tok 1: AA (2/5, T)
diff --git a/testing/btest/Baseline/language.vector/out b/testing/btest/Baseline/language.vector/out
index 21f42f873a..a4f4bce8d3 100644
--- a/testing/btest/Baseline/language.vector/out
+++ b/testing/btest/Baseline/language.vector/out
@@ -80,3 +80,5 @@ hole in vector of managed types, 5, [[a=T], [a=T], , , [a=T]]
 hole in vector of managed types after replacing slice, 3, [[a=T], [a=T], ]
 left shift (PASS)
 right shift (PASS)
+negative index (PASS)
+negative index (PASS)
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index e39717caf7..04f66804c6 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -558,6 +558,7 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Input::default_reader, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (KRB::ignored_errors, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Log::default_rotation_dir, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Log::default_rotation_postprocessor_cmd_env, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (MQTT::max_payload_size, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (NetControl::default_priority, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::alarmed_types, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
@@ -574,6 +575,7 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (RDP::disable_analyzer_after_detection, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (RDP::rdp_check_interval, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SIP::sip_methods, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SMB::enable_clear_script_state, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SMB::logged_file_actions, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SMTP::mail_path_capture, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SMTP::mail_transaction_validation, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
@@ -635,8 +637,11 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -662,6 +667,30 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33280, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33296, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33312, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33328, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33344, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33360, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33376, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33392, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33408, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33424, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33440, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33456, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33472, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33488, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33504, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33520, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33536, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33552, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33568, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33584, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33600, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33616, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33632, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33648, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -690,14 +719,21 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 1, PacketAnalyzer::ANALYZER_SNAP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 3, PacketAnalyzer::ANALYZER_LLC)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -754,7 +790,6 @@
 0.000000   MetaHookPost  CallFunction(Version::parse, ..., ...) -> <no result>
 0.000000   MetaHookPost  CallFunction(__init_primary_bifs, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(__init_secondary_bifs, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(bare_mode, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(cat, ..., ...) -> <no result>
 0.000000   MetaHookPost  CallFunction(current_time, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_confirmations)) -> <no result>
@@ -766,6 +801,7 @@
 0.000000   MetaHookPost  CallFunction(gsub, ..., ...) -> <no result>
 0.000000   MetaHookPost  CallFunction(has_event_group, <frame>, (Analyzer::Logging)) -> <no result>
 0.000000   MetaHookPost  CallFunction(has_module_events, <frame>, (Analyzer::Logging)) -> <no result>
+0.000000   MetaHookPost  CallFunction(have_spicy, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(have_spicy_analyzers, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(is_file_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(is_packet_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)) -> <no result>
@@ -902,9 +938,6 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1
@@ -988,6 +1021,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./smb1-main, <...>/smb1-main.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./smb2-main, <...>/smb2-main.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./spicy-events, <...>/spicy-events.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./spicy.bif.zeek, <...>/spicy.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./std-dev, <...>/std-dev.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./store, <...>/store.zeek) -> -1
@@ -1022,10 +1056,6 @@
 0.000000   MetaHookPost  LoadFile(0, <...>/__load__.zeek, <...>/__load__.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, <...>/__preload__.zeek, <...>/__preload__.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, <...>/hooks.zeek, <...>/hooks.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, Zeek<...>/bare.zeek, <...>/bare.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, Zeek<...>/default.zeek, <...>/default.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, Zeek_Spicy/__load__.zeek, <...>/__load__.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, Zeek_Spicy/__preload__.zeek, <...>/__preload__.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base/bif, <...>/bif) -> -1
 0.000000   MetaHookPost  LoadFile(0, base/init-default.zeek, <...>/init-default.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> -1
@@ -1083,6 +1113,8 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/ieee802_11, <...>/ieee802_11) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/imap, <...>/imap) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/init-bare, <...>/init-bare.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/init-framework, <...>/init-framework.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/input, <...>/input) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/input.bif, <...>/input.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/installation, <...>/installation.zeek) -> -1
@@ -1093,6 +1125,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/krb, <...>/krb) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll, <...>/linux_sll) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/llc, <...>/llc) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging, <...>/logging) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/main, <...>/main.zeek) -> -1
@@ -1105,6 +1138,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/netcontrol, <...>/netcontrol) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/nflog, <...>/nflog) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/notice, <...>/notice) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/novell_802_3, <...>/novell_802_3) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ntlm, <...>/ntlm) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ntp, <...>/ntp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/null, <...>/null) -> -1
@@ -1135,9 +1169,11 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/skip, <...>/skip) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/smb, <...>/smb) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/smtp, <...>/smtp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/snap, <...>/snap) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/snmp, <...>/snmp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/socks, <...>/socks) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/software, <...>/software) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/spicy, <...>/spicy) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ssh, <...>/ssh) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ssl, <...>/ssl) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/stats.bif, <...>/stats.bif.zeek) -> -1
@@ -1292,9 +1328,6 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, <no content>)
@@ -1378,6 +1411,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./spicy-events, <...>/spicy-events.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./spicy.bif.zeek, <...>/spicy.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./store, <...>/store.zeek) -> (-1, <no content>)
@@ -1412,10 +1446,6 @@
 0.000000   MetaHookPost  LoadFileExtended(0, <...>/__load__.zeek, <...>/__load__.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, <...>/__preload__.zeek, <...>/__preload__.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, <...>/hooks.zeek, <...>/hooks.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, Zeek<...>/bare.zeek, <...>/bare.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, Zeek<...>/default.zeek, <...>/default.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, Zeek_Spicy/__load__.zeek, <...>/__load__.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, Zeek_Spicy/__preload__.zeek, <...>/__preload__.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base/bif, <...>/bif) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base/init-default.zeek, <...>/init-default.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> (-1, <no content>)
@@ -1473,6 +1503,8 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ieee802_11, <...>/ieee802_11) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/imap, <...>/imap) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/init-bare, <...>/init-bare.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/init-framework, <...>/init-framework.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/input, <...>/input) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/input.bif, <...>/input.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/installation, <...>/installation.zeek) -> (-1, <no content>)
@@ -1483,6 +1515,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/krb, <...>/krb) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/llc, <...>/llc) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, <no content>)
@@ -1495,6 +1528,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/nflog, <...>/nflog) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/notice, <...>/notice) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/novell_802_3, <...>/novell_802_3) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ntlm, <...>/ntlm) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ntp, <...>/ntp) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/null, <...>/null) -> (-1, <no content>)
@@ -1525,9 +1559,11 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/skip, <...>/skip) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/smb, <...>/smb) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/smtp, <...>/smtp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/snap, <...>/snap) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/snmp, <...>/snmp) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/socks, <...>/socks) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/software, <...>/software) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/spicy, <...>/spicy) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ssh, <...>/ssh) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ssl, <...>/ssl) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/stats.bif, <...>/stats.bif.zeek) -> (-1, <no content>)
@@ -2136,6 +2172,7 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Input::default_reader, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (KRB::ignored_errors, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Log::default_rotation_dir, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Log::default_rotation_postprocessor_cmd_env, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (MQTT::max_payload_size, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (NetControl::default_priority, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::alarmed_types, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
@@ -2152,6 +2189,7 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (RDP::disable_analyzer_after_detection, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (RDP::rdp_check_interval, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SIP::sip_methods, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SMB::enable_clear_script_state, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SMB::logged_file_actions, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SMTP::mail_path_capture, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SMTP::mail_transaction_validation, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
@@ -2213,8 +2251,11 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP))
@@ -2240,6 +2281,30 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33280, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33296, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33312, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33328, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33344, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33360, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33376, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33392, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33408, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33424, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33440, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33456, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33472, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33488, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33504, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33520, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33536, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33552, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33568, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33584, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33600, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33616, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33632, PacketAnalyzer::ANALYZER_IEEE802_11))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IPTUNNEL, 33648, PacketAnalyzer::ANALYZER_IEEE802_11))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -2268,14 +2333,21 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_SNAP, 34525, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 1, PacketAnalyzer::ANALYZER_SNAP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 3, PacketAnalyzer::ANALYZER_LLC))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP))
@@ -2332,7 +2404,6 @@
 0.000000   MetaHookPre   CallFunction(Version::parse, ..., ...)
 0.000000   MetaHookPre   CallFunction(__init_primary_bifs, <null>, ())
 0.000000   MetaHookPre   CallFunction(__init_secondary_bifs, <null>, ())
-0.000000   MetaHookPre   CallFunction(bare_mode, <null>, ())
 0.000000   MetaHookPre   CallFunction(cat, ..., ...)
 0.000000   MetaHookPre   CallFunction(current_time, <frame>, ())
 0.000000   MetaHookPre   CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_confirmations))
@@ -2344,6 +2415,7 @@
 0.000000   MetaHookPre   CallFunction(gsub, ..., ...)
 0.000000   MetaHookPre   CallFunction(has_event_group, <frame>, (Analyzer::Logging))
 0.000000   MetaHookPre   CallFunction(has_module_events, <frame>, (Analyzer::Logging))
+0.000000   MetaHookPre   CallFunction(have_spicy, <null>, ())
 0.000000   MetaHookPre   CallFunction(have_spicy_analyzers, <null>, ())
 0.000000   MetaHookPre   CallFunction(is_file_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(is_packet_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS))
@@ -2480,9 +2552,6 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
@@ -2566,6 +2635,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./smb1-main, <...>/smb1-main.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./smb2-main, <...>/smb2-main.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./spicy-events, <...>/spicy-events.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./spicy.bif.zeek, <...>/spicy.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./stats.bif.zeek, <...>/stats.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./std-dev, <...>/std-dev.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./store, <...>/store.zeek)
@@ -2600,10 +2670,6 @@
 0.000000   MetaHookPre   LoadFile(0, <...>/__load__.zeek, <...>/__load__.zeek)
 0.000000   MetaHookPre   LoadFile(0, <...>/__preload__.zeek, <...>/__preload__.zeek)
 0.000000   MetaHookPre   LoadFile(0, <...>/hooks.zeek, <...>/hooks.zeek)
-0.000000   MetaHookPre   LoadFile(0, Zeek<...>/bare.zeek, <...>/bare.zeek)
-0.000000   MetaHookPre   LoadFile(0, Zeek<...>/default.zeek, <...>/default.zeek)
-0.000000   MetaHookPre   LoadFile(0, Zeek_Spicy/__load__.zeek, <...>/__load__.zeek)
-0.000000   MetaHookPre   LoadFile(0, Zeek_Spicy/__preload__.zeek, <...>/__preload__.zeek)
 0.000000   MetaHookPre   LoadFile(0, base/bif, <...>/bif)
 0.000000   MetaHookPre   LoadFile(0, base/init-default.zeek, <...>/init-default.zeek)
 0.000000   MetaHookPre   LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek)
@@ -2661,6 +2727,8 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/ieee802_11, <...>/ieee802_11)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio)
 0.000000   MetaHookPre   LoadFile(0, base<...>/imap, <...>/imap)
+0.000000   MetaHookPre   LoadFile(0, base<...>/init-bare, <...>/init-bare.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/init-framework, <...>/init-framework.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/input, <...>/input)
 0.000000   MetaHookPre   LoadFile(0, base<...>/input.bif, <...>/input.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/installation, <...>/installation.zeek)
@@ -2671,6 +2739,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/krb, <...>/krb)
 0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll, <...>/linux_sll)
 0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll2, <...>/linux_sll2)
+0.000000   MetaHookPre   LoadFile(0, base<...>/llc, <...>/llc)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/main, <...>/main.zeek)
@@ -2683,6 +2752,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/netcontrol, <...>/netcontrol)
 0.000000   MetaHookPre   LoadFile(0, base<...>/nflog, <...>/nflog)
 0.000000   MetaHookPre   LoadFile(0, base<...>/notice, <...>/notice)
+0.000000   MetaHookPre   LoadFile(0, base<...>/novell_802_3, <...>/novell_802_3)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ntlm, <...>/ntlm)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ntp, <...>/ntp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/null, <...>/null)
@@ -2713,9 +2783,11 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/skip, <...>/skip)
 0.000000   MetaHookPre   LoadFile(0, base<...>/smb, <...>/smb)
 0.000000   MetaHookPre   LoadFile(0, base<...>/smtp, <...>/smtp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/snap, <...>/snap)
 0.000000   MetaHookPre   LoadFile(0, base<...>/snmp, <...>/snmp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/socks, <...>/socks)
 0.000000   MetaHookPre   LoadFile(0, base<...>/software, <...>/software)
+0.000000   MetaHookPre   LoadFile(0, base<...>/spicy, <...>/spicy)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ssh, <...>/ssh)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ssl, <...>/ssl)
 0.000000   MetaHookPre   LoadFile(0, base<...>/stats.bif, <...>/stats.bif.zeek)
@@ -2870,9 +2942,6 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
@@ -2956,6 +3025,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./spicy-events, <...>/spicy-events.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./spicy.bif.zeek, <...>/spicy.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./store, <...>/store.zeek)
@@ -2990,10 +3060,6 @@
 0.000000   MetaHookPre   LoadFileExtended(0, <...>/__load__.zeek, <...>/__load__.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, <...>/__preload__.zeek, <...>/__preload__.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, <...>/hooks.zeek, <...>/hooks.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, Zeek<...>/bare.zeek, <...>/bare.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, Zeek<...>/default.zeek, <...>/default.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, Zeek_Spicy/__load__.zeek, <...>/__load__.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, Zeek_Spicy/__preload__.zeek, <...>/__preload__.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base/bif, <...>/bif)
 0.000000   MetaHookPre   LoadFileExtended(0, base/init-default.zeek, <...>/init-default.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek)
@@ -3051,6 +3117,8 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ieee802_11, <...>/ieee802_11)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/imap, <...>/imap)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/init-bare, <...>/init-bare.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/init-framework, <...>/init-framework.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/input, <...>/input)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/input.bif, <...>/input.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/installation, <...>/installation.zeek)
@@ -3061,6 +3129,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/krb, <...>/krb)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll2, <...>/linux_sll2)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/llc, <...>/llc)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main, <...>/main.zeek)
@@ -3073,6 +3142,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/nflog, <...>/nflog)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/notice, <...>/notice)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/novell_802_3, <...>/novell_802_3)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ntlm, <...>/ntlm)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ntp, <...>/ntp)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/null, <...>/null)
@@ -3103,9 +3173,11 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/skip, <...>/skip)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/smb, <...>/smb)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/smtp, <...>/smtp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/snap, <...>/snap)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/snmp, <...>/snmp)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/socks, <...>/socks)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/software, <...>/software)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/spicy, <...>/spicy)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ssh, <...>/ssh)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ssl, <...>/ssl)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/stats.bif, <...>/stats.bif.zeek)
@@ -3713,6 +3785,7 @@
 0.000000 | HookCallFunction Option::set_change_handler(Input::default_reader, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(KRB::ignored_errors, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(Log::default_rotation_dir, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(Log::default_rotation_postprocessor_cmd_env, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(MQTT::max_payload_size, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(NetControl::default_priority, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(Notice::alarmed_types, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
@@ -3729,6 +3802,7 @@
 0.000000 | HookCallFunction Option::set_change_handler(RDP::disable_analyzer_after_detection, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(RDP::rdp_check_interval, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(SIP::sip_methods, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(SMB::enable_clear_script_state, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(SMB::logged_file_actions, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(SMTP::mail_path_capture, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(SMTP::mail_transaction_validation, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
@@ -3790,8 +3864,11 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 1, PacketAnalyzer::ANALYZER_SNAP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 3, PacketAnalyzer::ANALYZER_LLC)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP)
@@ -3817,6 +3894,30 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33280, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33296, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33312, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33328, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33344, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33360, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33376, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33392, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33408, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33424, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33440, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33456, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33472, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33488, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33504, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33520, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33536, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33552, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33568, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33584, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33600, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33616, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33632, PacketAnalyzer::ANALYZER_IEEE802_11)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IPTUNNEL, 33648, PacketAnalyzer::ANALYZER_IEEE802_11)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)
@@ -3845,14 +3946,21 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 276, PacketAnalyzer::ANALYZER_LINUXSLL2)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 2048, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 32821, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SNAP, 34525, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 1, PacketAnalyzer::ANALYZER_SNAP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2, PacketAnalyzer::ANALYZER_NOVELL_802_3)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 3, PacketAnalyzer::ANALYZER_LLC)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)
@@ -3909,7 +4017,6 @@
 0.000000 | HookCallFunction Version::parse(...)
 0.000000 | HookCallFunction __init_primary_bifs()
 0.000000 | HookCallFunction __init_secondary_bifs()
-0.000000 | HookCallFunction bare_mode()
 0.000000 | HookCallFunction cat(...)
 0.000000 | HookCallFunction current_time()
 0.000000 | HookCallFunction disable_event_group(Analyzer::Logging::include_confirmations)
@@ -3921,6 +4028,7 @@
 0.000000 | HookCallFunction gsub(...)
 0.000000 | HookCallFunction has_event_group(Analyzer::Logging)
 0.000000 | HookCallFunction has_module_events(Analyzer::Logging)
+0.000000 | HookCallFunction have_spicy()
 0.000000 | HookCallFunction have_spicy_analyzers()
 0.000000 | HookCallFunction is_file_analyzer(AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction is_packet_analyzer(AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)
@@ -4057,9 +4165,6 @@
 0.000000 | HookLoadFile  ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Spicy.consts.bif.zeek <...>/Zeek_Spicy.consts.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Spicy.events.bif.zeek <...>/Zeek_Spicy.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Spicy.functions.bif.zeek <...>/Zeek_Spicy.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
@@ -4154,6 +4259,7 @@
 0.000000 | HookLoadFile  ./smb1-main <...>/smb1-main.zeek
 0.000000 | HookLoadFile  ./smb2-main <...>/smb2-main.zeek
 0.000000 | HookLoadFile  ./spicy-events <...>/spicy-events.zeek
+0.000000 | HookLoadFile  ./spicy.bif.zeek <...>/spicy.bif.zeek
 0.000000 | HookLoadFile  ./stats.bif.zeek <...>/stats.bif.zeek
 0.000000 | HookLoadFile  ./std-dev <...>/std-dev.zeek
 0.000000 | HookLoadFile  ./store <...>/store.zeek
@@ -4189,10 +4295,6 @@
 0.000000 | HookLoadFile  <...>/__load__.zeek <...>/__load__.zeek
 0.000000 | HookLoadFile  <...>/__preload__.zeek <...>/__preload__.zeek
 0.000000 | HookLoadFile  <...>/hooks.zeek <...>/hooks.zeek
-0.000000 | HookLoadFile  Zeek<...>/bare.zeek <...>/bare.zeek
-0.000000 | HookLoadFile  Zeek<...>/default.zeek <...>/default.zeek
-0.000000 | HookLoadFile  Zeek_Spicy/__load__.zeek <...>/__load__.zeek
-0.000000 | HookLoadFile  Zeek_Spicy/__preload__.zeek <...>/__preload__.zeek
 0.000000 | HookLoadFile  base/bif <...>/bif
 0.000000 | HookLoadFile  base/init-default.zeek <...>/init-default.zeek
 0.000000 | HookLoadFile  base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek
@@ -4250,6 +4352,8 @@
 0.000000 | HookLoadFile  base<...>/ieee802_11 <...>/ieee802_11
 0.000000 | HookLoadFile  base<...>/ieee802_11_radio <...>/ieee802_11_radio
 0.000000 | HookLoadFile  base<...>/imap <...>/imap
+0.000000 | HookLoadFile  base<...>/init-bare <...>/init-bare.zeek
+0.000000 | HookLoadFile  base<...>/init-framework <...>/init-framework.zeek
 0.000000 | HookLoadFile  base<...>/input <...>/input
 0.000000 | HookLoadFile  base<...>/input.bif <...>/input.bif.zeek
 0.000000 | HookLoadFile  base<...>/installation <...>/installation.zeek
@@ -4260,6 +4364,7 @@
 0.000000 | HookLoadFile  base<...>/krb <...>/krb
 0.000000 | HookLoadFile  base<...>/linux_sll <...>/linux_sll
 0.000000 | HookLoadFile  base<...>/linux_sll2 <...>/linux_sll2
+0.000000 | HookLoadFile  base<...>/llc <...>/llc
 0.000000 | HookLoadFile  base<...>/logging <...>/logging
 0.000000 | HookLoadFile  base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFile  base<...>/main <...>/main.zeek
@@ -4272,6 +4377,7 @@
 0.000000 | HookLoadFile  base<...>/netcontrol <...>/netcontrol
 0.000000 | HookLoadFile  base<...>/nflog <...>/nflog
 0.000000 | HookLoadFile  base<...>/notice <...>/notice
+0.000000 | HookLoadFile  base<...>/novell_802_3 <...>/novell_802_3
 0.000000 | HookLoadFile  base<...>/ntlm <...>/ntlm
 0.000000 | HookLoadFile  base<...>/ntp <...>/ntp
 0.000000 | HookLoadFile  base<...>/null <...>/null
@@ -4302,9 +4408,11 @@
 0.000000 | HookLoadFile  base<...>/skip <...>/skip
 0.000000 | HookLoadFile  base<...>/smb <...>/smb
 0.000000 | HookLoadFile  base<...>/smtp <...>/smtp
+0.000000 | HookLoadFile  base<...>/snap <...>/snap
 0.000000 | HookLoadFile  base<...>/snmp <...>/snmp
 0.000000 | HookLoadFile  base<...>/socks <...>/socks
 0.000000 | HookLoadFile  base<...>/software <...>/software
+0.000000 | HookLoadFile  base<...>/spicy <...>/spicy
 0.000000 | HookLoadFile  base<...>/ssh <...>/ssh
 0.000000 | HookLoadFile  base<...>/ssl <...>/ssl
 0.000000 | HookLoadFile  base<...>/stats.bif <...>/stats.bif.zeek
@@ -4447,9 +4555,6 @@
 0.000000 | HookLoadFileExtended ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek
-0.000000 | HookLoadFileExtended ./Zeek_Spicy.consts.bif.zeek <...>/Zeek_Spicy.consts.bif.zeek
-0.000000 | HookLoadFileExtended ./Zeek_Spicy.events.bif.zeek <...>/Zeek_Spicy.events.bif.zeek
-0.000000 | HookLoadFileExtended ./Zeek_Spicy.functions.bif.zeek <...>/Zeek_Spicy.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
@@ -4544,6 +4649,7 @@
 0.000000 | HookLoadFileExtended ./smb1-main <...>/smb1-main.zeek
 0.000000 | HookLoadFileExtended ./smb2-main <...>/smb2-main.zeek
 0.000000 | HookLoadFileExtended ./spicy-events <...>/spicy-events.zeek
+0.000000 | HookLoadFileExtended ./spicy.bif.zeek <...>/spicy.bif.zeek
 0.000000 | HookLoadFileExtended ./stats.bif.zeek <...>/stats.bif.zeek
 0.000000 | HookLoadFileExtended ./std-dev <...>/std-dev.zeek
 0.000000 | HookLoadFileExtended ./store <...>/store.zeek
@@ -4579,10 +4685,6 @@
 0.000000 | HookLoadFileExtended <...>/__load__.zeek <...>/__load__.zeek
 0.000000 | HookLoadFileExtended <...>/__preload__.zeek <...>/__preload__.zeek
 0.000000 | HookLoadFileExtended <...>/hooks.zeek <...>/hooks.zeek
-0.000000 | HookLoadFileExtended Zeek<...>/bare.zeek <...>/bare.zeek
-0.000000 | HookLoadFileExtended Zeek<...>/default.zeek <...>/default.zeek
-0.000000 | HookLoadFileExtended Zeek_Spicy/__load__.zeek <...>/__load__.zeek
-0.000000 | HookLoadFileExtended Zeek_Spicy/__preload__.zeek <...>/__preload__.zeek
 0.000000 | HookLoadFileExtended base/bif <...>/bif
 0.000000 | HookLoadFileExtended base/init-default.zeek <...>/init-default.zeek
 0.000000 | HookLoadFileExtended base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek
@@ -4640,6 +4742,8 @@
 0.000000 | HookLoadFileExtended base<...>/ieee802_11 <...>/ieee802_11
 0.000000 | HookLoadFileExtended base<...>/ieee802_11_radio <...>/ieee802_11_radio
 0.000000 | HookLoadFileExtended base<...>/imap <...>/imap
+0.000000 | HookLoadFileExtended base<...>/init-bare <...>/init-bare.zeek
+0.000000 | HookLoadFileExtended base<...>/init-framework <...>/init-framework.zeek
 0.000000 | HookLoadFileExtended base<...>/input <...>/input
 0.000000 | HookLoadFileExtended base<...>/input.bif <...>/input.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/installation <...>/installation.zeek
@@ -4650,6 +4754,7 @@
 0.000000 | HookLoadFileExtended base<...>/krb <...>/krb
 0.000000 | HookLoadFileExtended base<...>/linux_sll <...>/linux_sll
 0.000000 | HookLoadFileExtended base<...>/linux_sll2 <...>/linux_sll2
+0.000000 | HookLoadFileExtended base<...>/llc <...>/llc
 0.000000 | HookLoadFileExtended base<...>/logging <...>/logging
 0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek
@@ -4662,6 +4767,7 @@
 0.000000 | HookLoadFileExtended base<...>/netcontrol <...>/netcontrol
 0.000000 | HookLoadFileExtended base<...>/nflog <...>/nflog
 0.000000 | HookLoadFileExtended base<...>/notice <...>/notice
+0.000000 | HookLoadFileExtended base<...>/novell_802_3 <...>/novell_802_3
 0.000000 | HookLoadFileExtended base<...>/ntlm <...>/ntlm
 0.000000 | HookLoadFileExtended base<...>/ntp <...>/ntp
 0.000000 | HookLoadFileExtended base<...>/null <...>/null
@@ -4692,9 +4798,11 @@
 0.000000 | HookLoadFileExtended base<...>/skip <...>/skip
 0.000000 | HookLoadFileExtended base<...>/smb <...>/smb
 0.000000 | HookLoadFileExtended base<...>/smtp <...>/smtp
+0.000000 | HookLoadFileExtended base<...>/snap <...>/snap
 0.000000 | HookLoadFileExtended base<...>/snmp <...>/snmp
 0.000000 | HookLoadFileExtended base<...>/socks <...>/socks
 0.000000 | HookLoadFileExtended base<...>/software <...>/software
+0.000000 | HookLoadFileExtended base<...>/spicy <...>/spicy
 0.000000 | HookLoadFileExtended base<...>/ssh <...>/ssh
 0.000000 | HookLoadFileExtended base<...>/ssl <...>/ssl
 0.000000 | HookLoadFileExtended base<...>/stats.bif <...>/stats.bif.zeek
diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_build b/testing/btest/Baseline/plugins.packet-protocol/output_build
index 4097618014..69477c96b6 100644
--- a/testing/btest/Baseline/plugins.packet-protocol/output_build
+++ b/testing/btest/Baseline/plugins.packet-protocol/output_build
@@ -1,7 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-PacketDemo::Bar - Demo packet analyzers (RawLayer, LLC). (dynamic, version 1.0.0)
-    [Packet Analyzer] LLC_Demo (ANALYZER_LLC_DEMO, enabled)
+PacketDemo::Bar - Demo packet analyzers (RawLayer). (dynamic, version 1.0.0)
     [Packet Analyzer] Raw_Layer (ANALYZER_RAW_LAYER, enabled)
     [Event] raw_layer_message
-    [Event] llc_demo_message
 
diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_llc b/testing/btest/Baseline/plugins.packet-protocol/output_llc
deleted file mode 100644
index 90afbf2ca1..0000000000
--- a/testing/btest/Baseline/plugins.packet-protocol/output_llc
+++ /dev/null
@@ -1,5 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
-llc_demo_message (DSAP = 42, SSAP = 42, Control = 3)
diff --git a/testing/btest/Baseline/scripts.base.files.x509.files/files.log b/testing/btest/Baseline/scripts.base.files.x509.files/files.log
index e64dfc52c0..ce19924fa1 100644
--- a/testing/btest/Baseline/scripts.base.files.x509.files/files.log
+++ b/testing/btest/Baseline/scripts.base.files.x509.files/files.log
@@ -7,10 +7,10 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string
-XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
-XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.toggle-packet-analyzers/output b/testing/btest/Baseline/scripts.base.frameworks.analyzer.toggle-packet-analyzers/output
index 39cd890e18..2e50df15ab 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.analyzer.toggle-packet-analyzers/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.toggle-packet-analyzers/output
@@ -1,9 +1,9 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 packet, 1
 packet, 2
-vxlan_packet, C4J4Th3PJpwUYZZ6gc, inner, [hl=20, tos=0, len=84, id=12111, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2]
+vxlan_packet, C4J4Th3PJpwUYZZ6gc, inner, [hl=20, tos=0, len=84, id=12111, DF=T, MF=F, offset=0, ttl=64, p=1, sum=63319, src=10.0.0.1, dst=10.0.0.2]
 packet, 3
-vxlan_packet, CtPZjS20MLrsMUOJi2, inner, [hl=20, tos=0, len=84, id=36913, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1]
+vxlan_packet, CtPZjS20MLrsMUOJi2, inner, [hl=20, tos=0, len=84, id=36913, DF=F, MF=F, offset=0, ttl=64, p=1, sum=54901, src=10.0.0.2, dst=10.0.0.1]
 packet, 4
 Analyzer::disable_analyzer(PacketAnalyzer::ANALYZER_VXLAN), T
 packet, 5
@@ -11,7 +11,7 @@ packet, 6
 packet, 7
 packet, 8
 Analyzer::enable_analyzer(PacketAnalyzer::ANALYZER_VXLAN), T
-vxlan_packet, C4J4Th3PJpwUYZZ6gc, inner, [hl=20, tos=0, len=84, id=12684, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2]
+vxlan_packet, C4J4Th3PJpwUYZZ6gc, inner, [hl=20, tos=0, len=84, id=12684, DF=T, MF=F, offset=0, ttl=64, p=1, sum=62746, src=10.0.0.1, dst=10.0.0.2]
 packet, 9
-vxlan_packet, CtPZjS20MLrsMUOJi2, inner, [hl=20, tos=0, len=84, id=37295, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1]
+vxlan_packet, CtPZjS20MLrsMUOJi2, inner, [hl=20, tos=0, len=84, id=37295, DF=F, MF=F, offset=0, ttl=64, p=1, sum=54519, src=10.0.0.2, dst=10.0.0.1]
 packet, 10
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/manager-1..stdout
index 4bbd46575e..49d861c74c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/manager-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/manager-1..stdout
@@ -1,10 +1 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
-Connected to a peer
-Connected to a peer
-Connected to a peer
-Connected to a peer
-Got fully_connected event
-Got fully_connected event
-Got fully_connected event
-Got fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/proxy-1..stdout
index 5093baf444..49d861c74c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/proxy-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/proxy-1..stdout
@@ -1,4 +1 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-Connected to a peer
-Connected to a peer
-Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/proxy-2..stdout
index 5093baf444..49d861c74c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/proxy-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/proxy-2..stdout
@@ -1,4 +1 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-Connected to a peer
-Connected to a peer
-Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/worker-1..stdout
index 5093baf444..49d861c74c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/worker-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/worker-1..stdout
@@ -1,4 +1 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-Connected to a peer
-Connected to a peer
-Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/worker-2..stdout
index 9f78de549b..3a811915d4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.forwarding/worker-2..stdout
@@ -1,5 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-Connected to a peer
-Connected to a peer
-Connected to a peer
 got forwarded event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.from_json/out b/testing/btest/Baseline/scripts.base.frameworks.input.from_json/out
new file mode 100644
index 0000000000..6376dd8577
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.from_json/out
@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Valid: [ip=192.168.0.1, source=local, timestamp=1990-09-22T12:13:14, timestamp_parsed=654005594.0] ({"ip": "192.168.0.1", "source": "local", "timestamp": "1990-09-22T12:13:14"})
+Valid: [ip=192.168.0.1, source=local, timestamp=1990-09-23T13:14:15, timestamp_parsed=654095655.0] ({"ip": "192.168.0.1", "source": "local", "timestamp": "1990-09-23T13:14:15"})
+Valid: [ip=192.168.0.2, source=local, timestamp=<uninitialized>, timestamp_parsed=<uninitialized>] ({"ip": "192.168.0.2", "source": "local"})
+Invalid: '{"source": "local"}'
+Invalid: '{... ]'
+Valid: [ip=8.8.4.4, source=remote, timestamp=<uninitialized>, timestamp_parsed=<uninitialized>] ({"ip": "8.8.4.4", "source": "remote"})
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw/out
index e09e95e053..8c75626e45 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw/out
@@ -1,289 +1,13 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-q3r3057fdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-sdfs\d
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-dfsdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-sdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-3rw43wRRERLlL#RWERERERE.
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-q3r3057fdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-sdfs\d
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-dfsdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-sdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
-{ 
-print outfile, A::description;
-print outfile, A::tpe;
-print outfile, A::s;
-try = try + 1;
-if (16 == try) 
-{ 
-Input::remove(input);
-close(outfile);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
-Input::EVENT_NEW
-3rw43wRRERLlL#RWERERERE.
+1, Input::EVENT_NEW, sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF, 39
+2, Input::EVENT_NEW, DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF, 42
+3, Input::EVENT_NEW, q3r3057fdf, 10
+4, Input::EVENT_NEW, sdfs\d, 6
+5, Input::EVENT_NEW, , 0
+6, Input::EVENT_NEW, dfsdf, 5
+7, Input::EVENT_NEW, sdf, 3
+8, Input::EVENT_NEW, 3rw43wRRERLlL#RWERERERE., 24
+end_of_data, updating input.log
+9, Input::EVENT_NEW, Beginning of input2.log, 23
+10, Input::EVENT_NEW, 3rw43wRRERLlL#RWERERERE., 24
+11, Input::EVENT_NEW, game over, 9
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw2/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw2/out
new file mode 100644
index 0000000000..ffa4b2758d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw2/out
@@ -0,0 +1,8 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+A::line, 1, First, 5
+A::line, 2, Second, 6
+A::line, 3, Third, 5
+A::line, 4, , 0
+A::line, 5, Fourth, 6
+end_of_data, input, ./input.log
+terminate
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-pp-env/out b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-pp-env/out
new file mode 100644
index 0000000000..ed151a8f97
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.rotate-pp-env/out
@@ -0,0 +1,31 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ZEEK_ARG_EXTERNAL=external
+ZEEK_ARG_INIT=zeek_init
+ZEEK_ARG_REDEF=redef
+ZEEK_ARG_EXTERNAL=external
+ZEEK_ARG_INIT=zeek_init
+ZEEK_ARG_REDEF=redef
+ZEEK_ARG_EXTERNAL=external
+ZEEK_ARG_INIT=zeek_init
+ZEEK_ARG_REDEF=redef
+ZEEK_ARG_EXTERNAL=external
+ZEEK_ARG_INIT=zeek_init
+ZEEK_ARG_REDEF=redef
+ZEEK_ARG_EXTERNAL=external
+ZEEK_ARG_INIT=zeek_init
+ZEEK_ARG_REDEF=redef
+ZEEK_ARG_EXTERNAL=external
+ZEEK_ARG_INIT=zeek_init
+ZEEK_ARG_REDEF=redef
+ZEEK_ARG_EXTERNAL=external
+ZEEK_ARG_INIT=zeek_init
+ZEEK_ARG_REDEF=redef
+ZEEK_ARG_EXTERNAL=external
+ZEEK_ARG_INIT=zeek_init
+ZEEK_ARG_REDEF=redef
+ZEEK_ARG_EXTERNAL=external
+ZEEK_ARG_INIT=zeek_init
+ZEEK_ARG_REDEF=redef
+ZEEK_ARG_EXTERNAL=external
+ZEEK_ARG_INIT=zeek_init
+ZEEK_ARG_REDEF=redef
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/.stdout
new file mode 100644
index 0000000000..af7330beb9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/.stdout
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ntp_message 192.168.1.95 -> 17.253.4.253:123 (D^)
+ntp_message 192.168.1.95 -> 17.253.4.253:123 (D^)
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/conn.log
new file mode 100644
index 0000000000..d2639d9ea4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/conn.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.95	123	17.253.4.253	123	udp	-	0.959285	96	0	S0	T	F	0	D^	2	152	0	0	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/ntp.log
new file mode 100644
index 0000000000..736e20827e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/ntp.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	ref_id	ref_time	org_time	rec_time	xmt_time	num_exts
+#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	time	time	time	time	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.95	123	17.253.4.253	123	4	4	1	256.000000	0.000001	0.000000	0.000992	GPSs	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	0
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.95	123	17.253.4.253	123	4	3	0	256.000000	1.000000	0.000000	0.000000	\x00\x00\x00\x00	0.000000	0.000000	0.000000	XXXXXXXXXX.XXXXXX	0
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-max-pending-messages/out b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-max-pending-messages/out
new file mode 100644
index 0000000000..524f00fa21
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-max-pending-messages/out
@@ -0,0 +1,25 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+smb2_discarded_messages_state before, tree, 20
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, tree, 20
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, tree, 20
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, tree, 20
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, tree, 20
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, read, 15
+smb2_discarded_messages_state after, read, 0
+smb2_discarded_messages_state before, tree, 5
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, tree, 20
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, tree, 20
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, read, 15
+smb2_discarded_messages_state after, read, 0
+smb2_discarded_messages_state before, tree, 5
+smb2_discarded_messages_state after, tree, 0
+smb2_discarded_messages_state before, tree, 20
+smb2_discarded_messages_state after, tree, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-max-pending-messages/weird.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-max-pending-messages/weird.log
new file mode 100644
index 0000000000..f7d257af1b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-max-pending-messages/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	34884	127.0.0.1	445	SMB_discarded_messages_state	state=tree fid_map=0 tid_map=2 pending_cmds=20 pipe_map=0	F	zeek	SMB2
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.snap.snap-arp/.stdout b/testing/btest/Baseline/scripts.base.protocols.snap.snap-arp/.stdout
new file mode 100644
index 0000000000..172032872f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snap.snap-arp/.stdout
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+c2:3d:19:6c:00:01, ff:ff:ff:ff:ff:ff, 10.0.0.1, c2:3d:19:6c:00:01, 10.0.0.2, 00:00:00:00:00:00
+c2:3d:19:6c:00:01, ff:ff:ff:ff:ff:ff, 10.0.0.1, c2:3d:19:6c:00:01, 10.0.0.2, 00:00:00:00:00:00
+c2:3c:19:6c:00:01, c2:3d:19:6c:00:01, 10.0.0.2, c2:3c:19:6c:00:01, 10.0.0.1, c2:3d:19:6c:00:01
+c2:3c:19:6c:00:01, c2:3d:19:6c:00:01, 10.0.0.2, c2:3c:19:6c:00:01, 10.0.0.1, c2:3d:19:6c:00:01
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/.stdout
new file mode 100644
index 0000000000..439fc963f9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/.stdout
@@ -0,0 +1,52 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+SH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+SH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 31
+Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1298
+Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 289
+Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 61
+Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, 65276, 23, 61
+start CID test
+CID, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID
+CH, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID
+CH, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID
+CH, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID
+CH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+SH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID
+CH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, fancy server CID
+SH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 52
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 89
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1365
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1292
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 310
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 82
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, 65276, 23, 1366
+CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, fancy server CID
+CH, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, fancy server CID
+CH, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, fancy server CID
+CH, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+SH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+SH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 31
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 68
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1378
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1237
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 289
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 61
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, 65276, 23, 1351
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl-all.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl-all.log
new file mode 100644
index 0000000000..87b51d1170
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl-all.log
@@ -0,0 +1,25 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.168.36.147	33714	10.168.36.144	11111	DTLSv13	TLS_AES_128_GCM_SHA256	secp256r1	-	F	-	-	T	CjCs	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.168.36.147	57488	10.168.36.144	11111	DTLSv13	TLS_AES_128_GCM_SHA256	secp256r1	-	F	-	-	T	CjCs	-	-	-
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	10.168.36.147	47904	10.168.36.144	11111	DTLSv13	TLS_AES_128_GCM_SHA256	secp256r1	-	F	-	-	T	CjCs	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.168.36.147	52232	10.168.36.144	11111	-	-	-	-	F	-	-	F	CCC	-	-	-
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	10.168.36.147	56544	10.168.36.144	11111	-	-	-	-	F	-	-	F	CCC	-	-	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	10.168.36.147	58771	10.168.36.144	11111	-	-	-	-	F	-	-	F	CCCC	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
index 54ebb6fe84..8ec1f6448a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
@@ -61,5 +61,5 @@ XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.178.80	54220	174.138.9.219	443	TLSv1
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.192.48.168	63564	64.233.185.139	443	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	CsiICs	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.192.48.168	63564	64.233.185.139	443	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	CjiICs	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index c92ba22c31..42dab79805 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -65,10 +65,8 @@ XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX file_new
 XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX mime_end_entity
-XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_state_remove
-XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX mime_begin_entity
 XXXXXXXXXX.XXXXXX mime_one_header
 XXXXXXXXXX.XXXXXX mime_one_header
@@ -76,10 +74,8 @@ XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX file_new
 XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX mime_end_entity
-XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_state_remove
-XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX mime_end_entity
 XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX get_file_handle
@@ -94,9 +90,7 @@ XXXXXXXXXX.XXXXXX new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX mime_end_entity
-XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX file_state_remove
-XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX mime_end_entity
 XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX get_file_handle
@@ -156,12 +150,10 @@ XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX file_new
 XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX mime_end_entity
-XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX get_file_handle
-XXXXXXXXXX.XXXXXX get_file_handle
 XXXXXXXXXX.XXXXXX smtp_request
 XXXXXXXXXX.XXXXXX smtp_reply
 XXXXXXXXXX.XXXXXX Broker::log_flush
@@ -189,7 +181,6 @@ XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_hash
-XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX x509_certificate
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
@@ -202,13 +193,13 @@ XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_ext_subject_alternative_name
+XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX file_new
 XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_hash
-XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX x509_certificate
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
@@ -218,6 +209,7 @@ XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
 XXXXXXXXXX.XXXXXX x509_extension
+XXXXXXXXXX.XXXXXX file_hash
 XXXXXXXXXX.XXXXXX file_state_remove
 XXXXXXXXXX.XXXXXX ssl_handshake_message
 XXXXXXXXXX.XXXXXX ssl_handshake_message
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 745a446cf3..cbf9dc9437 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -313,11 +313,6 @@ XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=[filename=<uninitialized>], fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = T
-
 XXXXXXXXXX.XXXXXX file_sniff
                   [0] f: fa_file         = [id=FmFp351N5nhsMmAfQg, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FmFp351N5nhsMmAfQg, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
@@ -325,11 +320,6 @@ XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_state_remove
                   [0] f: fa_file         = [id=FmFp351N5nhsMmAfQg, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FmFp351N5nhsMmAfQg, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
 XXXXXXXXXX.XXXXXX mime_begin_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
@@ -357,11 +347,6 @@ XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=[filename=<uninitialized>], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = T
-
 XXXXXXXXXX.XXXXXX file_sniff
                   [0] f: fa_file         = [id=Fqrb1K5DWEfgy4WU2, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=Fqrb1K5DWEfgy4WU2, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]], inferred=T]
@@ -369,11 +354,6 @@ XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_state_remove
                   [0] f: fa_file         = [id=Fqrb1K5DWEfgy4WU2, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=Fqrb1K5DWEfgy4WU2, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.035156 usecs, local_orig=T, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
 XXXXXXXXXX.XXXXXX mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
@@ -426,19 +406,9 @@ XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = T
-
 XXXXXXXXXX.XXXXXX file_state_remove
                   [0] f: fa_file         = [id=FEFYSd1s8Onn9LynKj, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=XXXXXXXXXX.XXXXXX, fuid=FEFYSd1s8Onn9LynKj, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.819611 usecs, local_orig=T, is_orig=T, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
 XXXXXXXXXX.XXXXXX mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
@@ -709,11 +679,6 @@ XXXXXXXXXX.XXXXXX file_over_new_connection
 XXXXXXXXXX.XXXXXX mime_end_entity
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = T
-
 XXXXXXXXXX.XXXXXX file_sniff
                   [0] f: fa_file         = [id=Fc5KpS3kUYqDLwWSMf, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=Fc5KpS3kUYqDLwWSMf, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
@@ -721,11 +686,6 @@ XXXXXXXXXX.XXXXXX file_sniff
 XXXXXXXXXX.XXXXXX file_state_remove
                   [0] f: fa_file         = [id=Fc5KpS3kUYqDLwWSMf, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=Fc5KpS3kUYqDLwWSMf, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
 XXXXXXXXXX.XXXXXX get_file_handle
                   [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
                   [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -771,41 +731,41 @@ XXXXXXXXXX.XXXXXX ssl_extension_server_name
                   [2] names: string_vec  = [p31-keyvalueservice.icloud.com]
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] code: count        = 0
                   [3] val: string        = \x00!\x00\x00\x1ep31-keyvalueservice.icloud.com
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] code: count        = 10
                   [3] val: string        = \x00\x06\x00\x17\x00\x18\x00\x19
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] code: count        = 11
                   [3] val: string        = \x01\x00
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] code: count        = 13
                   [3] val: string        = \x00\x0a\x05\x01\x04\x01\x02\x01\x04\x03\x02\x03
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] code: count        = 13172
                   [3] val: string        = 
 
 XXXXXXXXXX.XXXXXX analyzer_confirmation_info
                   [0] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_SSL
-                  [1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], f=<uninitialized>, aid=35]
+                  [1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], f=<uninitialized>, aid=35]
 
 XXXXXXXXXX.XXXXXX ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 771
                   [2] record_version: count = 769
                   [3] possible_ts: time  = XXXXXXXXXX.XXXXXX
@@ -815,26 +775,26 @@ XXXXXXXXXX.XXXXXX ssl_client_hello
                   [7] comp_methods: index_vec = [0]
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] msg_type: count    = 1
                   [3] length: count      = 192
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] record_version: count = 769
                   [3] content_type: count = 22
                   [4] length: count      = 196
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] code: count        = 65281
                   [3] val: string        = \x00
 
 XXXXXXXXXX.XXXXXX ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 771
                   [2] record_version: count = 771
                   [3] possible_ts: time  = XXXXXXXXXX.XXXXXX
@@ -844,213 +804,213 @@ XXXXXXXXXX.XXXXXX ssl_server_hello
                   [7] comp_method: count = 0
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] msg_type: count    = 2
                   [3] length: count      = 77
 
 XXXXXXXXXX.XXXXXX file_new
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX file_over_new_connection
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 XXXXXXXXXX.XXXXXX file_sniff
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=application/x-x509-user-cert, mime_types=<uninitialized>, inferred=F]
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = md5
                   [2] hash: string       = 1bf9696d9f337805383427e88781d001
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = sha256
                   [2] hash: string       = f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56
 
-XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
-
 XXXXXXXXXX.XXXXXX x509_certificate
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
 
 XXXXXXXXXX.XXXXXX x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]
 
 XXXXXXXXXX.XXXXXX x509_ext_subject_alternative_name
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]
 
+XXXXXXXXXX.XXXXXX file_hash
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
+
 XXXXXXXXXX.XXXXXX file_state_remove
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX file_new
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX file_over_new_connection
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 XXXXXXXXXX.XXXXXX file_sniff
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=application/x-x509-ca-cert, mime_types=<uninitialized>, inferred=F]
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = md5
                   [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = sha256
                   [2] hash: string       = ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b
 
-XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
-
 XXXXXXXXXX.XXXXXX x509_certificate
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
 
 XXXXXXXXXX.XXXXXX x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]
 
+XXXXXXXXXX.XXXXXX file_hash
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
+
 XXXXXXXXXX.XXXXXX file_state_remove
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] msg_type: count    = 11
                   [3] length: count      = 2507
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csx, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csx, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] msg_type: count    = 14
                   [3] length: count      = 0
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] record_version: count = 771
                   [3] content_type: count = 22
                   [4] length: count      = 2596
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] msg_type: count    = 16
                   [3] length: count      = 258
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] record_version: count = 771
                   [3] content_type: count = 22
                   [4] length: count      = 262
 
 XXXXXXXXXX.XXXXXX ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] record_version: count = 771
                   [3] content_type: count = 20
                   [4] length: count      = 1
 
 XXXXXXXXXX.XXXXXX ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] record_version: count = 771
                   [3] content_type: count = 20
                   [4] length: count      = 1
 
 XXXXXXXXXX.XXXXXX ssl_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX net_done
                   [0] t: time            = XXXXXXXXXX.XXXXXX
@@ -1059,7 +1019,7 @@ XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX run_sync_hook
 XXXXXXXXXX.XXXXXX filter_change_tracking
 XXXXXXXXXX.XXXXXX connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_state_remove
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=147.0 msecs 503.137589 usecs, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
index 6cd86e5aee..06276d7a7a 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
@@ -14,7 +14,7 @@ XXXXXXXXXX.XXXXXX new_connection
 
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=62, id=9482, ttl=128, p=17, src=10.10.1.4, dst=10.10.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=56166/udp, dport=53/udp, ulen=42], icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=62, id=9482, DF=F, MF=F, offset=0, ttl=128, p=17, sum=65420, src=10.10.1.4, dst=10.10.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=56166/udp, dport=53/udp, ulen=42], icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -51,7 +51,7 @@ XXXXXXXXXX.XXXXXX dns_end
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=76, cap_len=76, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=62, id=9482, ttl=128, p=17, src=10.10.1.4, dst=10.10.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=56166/udp, dport=53/udp, ulen=42], icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=76, cap_len=76, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=62, id=9482, DF=F, MF=F, offset=0, ttl=128, p=17, sum=65420, src=10.10.1.4, dst=10.10.1.1], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=56166/udp, dport=53/udp, ulen=42], icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -60,7 +60,7 @@ XXXXXXXXXX.XXXXXX load_sample
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (!DNS::c?$dns_state) \x0a\x09\x09return ;\x0a\x0a\x09if (DNS::c$dns_state?$pending_query) \x0a\x09\x09Log::write(DNS::LOG, to_any_coerceDNS::c$dns_state$pending_query);\x0a\x0a\x09if (DNS::c$dns_state?$pending_queries) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_queries);\x0a\x0a\x09if (DNS::c$dns_state?$pending_replies) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_replies);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=128, id=0, ttl=64, p=17, src=10.10.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53/udp, dport=56166/udp, ulen=108], icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=128, id=0, DF=T, MF=F, offset=0, ttl=64, p=17, sum=9301, src=10.10.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53/udp, dport=56166/udp, ulen=108], icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (!DNS::c?$dns_state) \x0a\x09\x09return ;\x0a\x0a\x09if (DNS::c$dns_state?$pending_query) \x0a\x09\x09Log::write(DNS::LOG, to_any_coerceDNS::c$dns_state$pending_query);\x0a\x0a\x09if (DNS::c$dns_state?$pending_queries) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_queries);\x0a\x0a\x09if (DNS::c$dns_state?$pending_replies) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_replies);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -100,7 +100,7 @@ XXXXXXXXXX.XXXXXX dns_end
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=142, cap_len=142, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=128, id=0, ttl=64, p=17, src=10.10.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53/udp, dport=56166/udp, ulen=108], icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=142, cap_len=142, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=128, id=0, DF=T, MF=F, offset=0, ttl=64, p=17, sum=9301, src=10.10.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53/udp, dport=56166/udp, ulen=108], icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX DNS::log_dns
@@ -115,7 +115,7 @@ XXXXXXXXXX.XXXXXX new_connection
 
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=S, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=48, id=9488, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795696, ack=0, hl=28, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=48, id=9488, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62427, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795696, ack=0, hl=28, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_SYN_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=S, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -160,13 +160,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=2, length=4, data=<uninitialized>, mss=1460, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=4, length=2, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=62, cap_len=62, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=48, id=9488, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795696, ack=0, hl=28, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=62, cap_len=62, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=48, id=9488, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62427, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795696, ack=0, hl=28, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=346.0 msecs 950.054169 usecs, service={\x0a\x0a}, history=Sh, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=48, id=0, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727087, ack=2126795697, hl=28, dl=0, reserved=0, flags=18, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=48, id=0, DF=T, MF=F, offset=0, ttl=50, p=6, sum=26252, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727087, ack=2126795697, hl=28, dl=0, reserved=0, flags=18, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_SYN_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=346.0 msecs 950.054169 usecs, service={\x0a\x0a}, history=Sh, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -214,13 +214,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=2, length=4, data=<uninitialized>, mss=1460, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=4, length=2, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=62, cap_len=62, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=48, id=0, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727087, ack=2126795697, hl=28, dl=0, reserved=0, flags=18, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=62, cap_len=62, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=48, id=0, DF=T, MF=F, offset=0, ttl=50, p=6, sum=26252, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727087, ack=2126795697, hl=28, dl=0, reserved=0, flags=18, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=346.0 msecs 982.002258 usecs, service={\x0a\x0a}, history=ShA, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=9489, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795697, ack=2934727088, hl=20, dl=0, reserved=0, flags=16, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=9489, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62434, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795697, ack=2934727088, hl=20, dl=0, reserved=0, flags=16, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_first_ACK
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=346.0 msecs 982.002258 usecs, service={\x0a\x0a}, history=ShA, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -235,13 +235,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=9489, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795697, ack=2934727088, hl=20, dl=0, reserved=0, flags=16, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=9489, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62434, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795697, ack=2934727088, hl=20, dl=0, reserved=0, flags=16, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=221, id=8674, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727088, ack=2126795697, hl=20, dl=181, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=221, id=8674, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17405, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727088, ack=2126795697, hl=20, dl=181, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -281,13 +281,13 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=235, cap_len=235, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=221, id=8674, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727088, ack=2126795697, hl=20, dl=181, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=235, cap_len=235, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=221, id=8674, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17405, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727088, ack=2126795697, hl=20, dl=181, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=695.0 msecs 762.872696 usecs, service={\x0a\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=49, id=9503, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795697, ack=2934727269, hl=20, dl=9, reserved=0, flags=24, win=65354], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=49, id=9503, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62411, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795697, ack=2934727269, hl=20, dl=9, reserved=0, flags=24, win=65354], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=695.0 msecs 762.872696 usecs, service={\x0a\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -318,14 +318,14 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = GP
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=63, cap_len=63, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=49, id=9503, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795697, ack=2934727269, hl=20, dl=9, reserved=0, flags=24, win=65354], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=63, cap_len=63, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=49, id=9503, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62411, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795697, ack=2934727269, hl=20, dl=9, reserved=0, flags=24, win=65354], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 36.0 msecs 339.998245 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8675, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727269, ack=2126795706, hl=20, dl=0, reserved=0, flags=16, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8675, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17585, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727269, ack=2126795706, hl=20, dl=0, reserved=0, flags=16, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 36.0 msecs 339.998245 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -337,14 +337,14 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8675, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727269, ack=2126795706, hl=20, dl=0, reserved=0, flags=16, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8675, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17585, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727269, ack=2126795706, hl=20, dl=0, reserved=0, flags=16, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=177, id=8676, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727269, ack=2126795706, hl=20, dl=137, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=177, id=8676, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17447, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727269, ack=2126795706, hl=20, dl=137, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -408,7 +408,7 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=191, cap_len=191, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=177, id=8676, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727269, ack=2126795706, hl=20, dl=137, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=191, cap_len=191, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=177, id=8676, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17447, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727269, ack=2126795706, hl=20, dl=137, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -417,7 +417,7 @@ XXXXXXXXXX.XXXXXX load_sample
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 39.0 msecs 682.865143 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=9508, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795706, ack=2934727406, hl=20, dl=12, reserved=0, flags=24, win=65217], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=9508, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62403, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795706, ack=2934727406, hl=20, dl=12, reserved=0, flags=24, win=65217], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 39.0 msecs 682.865143 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -439,13 +439,13 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = LOGIN
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=9508, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795706, ack=2934727406, hl=20, dl=12, reserved=0, flags=24, win=65217], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=9508, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62403, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795706, ack=2934727406, hl=20, dl=12, reserved=0, flags=24, win=65217], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 382.0 msecs 35.017014 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=58, id=8677, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727406, ack=2126795718, hl=20, dl=18, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=58, id=8677, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17565, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727406, ack=2126795718, hl=20, dl=18, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 382.0 msecs 35.017014 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -469,13 +469,13 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=72, cap_len=72, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=58, id=8677, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727406, ack=2126795718, hl=20, dl=18, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=72, cap_len=72, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=58, id=8677, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17565, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727406, ack=2126795718, hl=20, dl=18, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 382.0 msecs 608.890533 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=70, id=9513, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795718, ack=2934727424, hl=20, dl=30, reserved=0, flags=24, win=65199], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=70, id=9513, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62380, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795718, ack=2934727424, hl=20, dl=30, reserved=0, flags=24, win=65199], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 382.0 msecs 608.890533 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -497,14 +497,14 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=84, cap_len=84, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=70, id=9513, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795718, ack=2934727424, hl=20, dl=30, reserved=0, flags=24, win=65199], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=84, cap_len=84, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=70, id=9513, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62380, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795718, ack=2934727424, hl=20, dl=30, reserved=0, flags=24, win=65199], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 724.0 msecs 498.033524 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=58, id=8678, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727424, ack=2126795748, hl=20, dl=18, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=58, id=8678, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17564, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727424, ack=2126795748, hl=20, dl=18, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 724.0 msecs 498.033524 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -528,7 +528,7 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=72, cap_len=72, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=58, id=8678, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727424, ack=2126795748, hl=20, dl=18, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=72, cap_len=72, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=58, id=8678, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17564, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727424, ack=2126795748, hl=20, dl=18, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -538,7 +538,7 @@ XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 725.0 msecs 71.907043 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=58, id=9518, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795748, ack=2934727442, hl=20, dl=18, reserved=0, flags=24, win=65181], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=58, id=9518, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62387, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795748, ack=2934727442, hl=20, dl=18, reserved=0, flags=24, win=65181], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 sec 725.0 msecs 71.907043 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -560,7 +560,7 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=72, cap_len=72, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=58, id=9518, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795748, ack=2934727442, hl=20, dl=18, reserved=0, flags=24, win=65181], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=72, cap_len=72, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=58, id=9518, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62387, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795748, ack=2934727442, hl=20, dl=18, reserved=0, flags=24, win=65181], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -570,7 +570,7 @@ XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 84.0 msecs 751.844406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=70, id=8679, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727442, ack=2126795766, hl=20, dl=30, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=70, id=8679, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17551, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727442, ack=2126795766, hl=20, dl=30, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 84.0 msecs 751.844406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -594,13 +594,13 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=84, cap_len=84, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=70, id=8679, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727442, ack=2126795766, hl=20, dl=30, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=84, cap_len=84, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=70, id=8679, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17551, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727442, ack=2126795766, hl=20, dl=30, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 85.0 msecs 367.918015 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=76, id=9523, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795766, ack=2934727472, hl=20, dl=36, reserved=0, flags=24, win=65151], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=76, id=9523, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62364, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795766, ack=2934727472, hl=20, dl=36, reserved=0, flags=24, win=65151], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 85.0 msecs 367.918015 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -628,13 +628,13 @@ XXXXXXXXXX.XXXXXX smtp_unexpected
                   [3] detail: string     = MAIL reply = 0 state = 1
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=90, cap_len=90, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=76, id=9523, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795766, ack=2934727472, hl=20, dl=36, reserved=0, flags=24, win=65151], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=90, cap_len=90, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=76, id=9523, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62364, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795766, ack=2934727472, hl=20, dl=36, reserved=0, flags=24, win=65151], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 427.0 msecs 718.877792 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=48, id=8680, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727472, ack=2126795802, hl=20, dl=8, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=48, id=8680, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17572, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727472, ack=2126795802, hl=20, dl=8, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 427.0 msecs 718.877792 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -658,14 +658,14 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=62, cap_len=62, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=48, id=8680, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727472, ack=2126795802, hl=20, dl=8, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=62, cap_len=62, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=48, id=8680, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17572, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727472, ack=2126795802, hl=20, dl=8, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 428.0 msecs 204.059601 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=79, id=9528, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795802, ack=2934727480, hl=20, dl=39, reserved=0, flags=24, win=65143], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=79, id=9528, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62356, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795802, ack=2934727480, hl=20, dl=39, reserved=0, flags=24, win=65143], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 428.0 msecs 204.059601 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -687,7 +687,7 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=93, cap_len=93, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=79, id=9528, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795802, ack=2934727480, hl=20, dl=39, reserved=0, flags=24, win=65143], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=93, cap_len=93, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=79, id=9528, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62356, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795802, ack=2934727480, hl=20, dl=39, reserved=0, flags=24, win=65143], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -696,7 +696,7 @@ XXXXXXXXXX.XXXXXX load_sample
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 790.0 msecs 662.050247 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=54, id=8681, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727480, ack=2126795841, hl=20, dl=14, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=54, id=8681, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17565, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727480, ack=2126795841, hl=20, dl=14, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 790.0 msecs 662.050247 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -720,13 +720,13 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=68, cap_len=68, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=54, id=8681, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727480, ack=2126795841, hl=20, dl=14, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=68, cap_len=68, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=54, id=8681, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17565, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727480, ack=2126795841, hl=20, dl=14, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 791.0 msecs 157.007217 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=46, id=9533, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795841, ack=2934727494, hl=20, dl=6, reserved=0, flags=24, win=65129], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=46, id=9533, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62384, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795841, ack=2934727494, hl=20, dl=6, reserved=0, flags=24, win=65129], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 791.0 msecs 157.007217 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -751,7 +751,7 @@ XXXXXXXXXX.XXXXXX mime_begin_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 secs 791.0 msecs 157.007217 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=46, id=9533, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795841, ack=2934727494, hl=20, dl=6, reserved=0, flags=24, win=65129], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=46, id=9533, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62384, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795841, ack=2934727494, hl=20, dl=6, reserved=0, flags=24, win=65129], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
@@ -759,7 +759,7 @@ XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 132.0 msecs 632.97081 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=96, id=8682, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727494, ack=2126795847, hl=20, dl=56, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=96, id=8682, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17522, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727494, ack=2126795847, hl=20, dl=56, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 132.0 msecs 632.97081 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -783,7 +783,7 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=110, cap_len=110, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=96, id=8682, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727494, ack=2126795847, hl=20, dl=56, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=110, cap_len=110, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=96, id=8682, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17522, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727494, ack=2126795847, hl=20, dl=56, reserved=0, flags=24, win=5840], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -792,7 +792,7 @@ XXXXXXXXXX.XXXXXX load_sample
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1500, id=9551, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795847, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1500, id=9551, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60912, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795847, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -1169,12 +1169,6 @@ XXXXXXXXXX.XXXXXX mime_entity_data
 XXXXXXXXXX.XXXXXX mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=[filename=<uninitialized>], fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = T
-
-XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_sniff
                   [0] f: fa_file         = [id=FmFp351N5nhsMmAfQg, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FmFp351N5nhsMmAfQg, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
@@ -1183,15 +1177,6 @@ XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_state_remove
                   [0] f: fa_file         = [id=FmFp351N5nhsMmAfQg, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FmFp351N5nhsMmAfQg, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-XXXXXXXXXX.XXXXXX event_queue_flush_point
-XXXXXXXXXX.XXXXXX Files::log_files
-                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=FmFp351N5nhsMmAfQg, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
-
 XXXXXXXXXX.XXXXXX mime_begin_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=3, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
@@ -1243,6 +1228,9 @@ XXXXXXXXXX.XXXXXX get_file_handle
                   [2] is_orig: bool      = T
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
+XXXXXXXXXX.XXXXXX Files::log_files
+                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=FmFp351N5nhsMmAfQg, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+
 XXXXXXXXXX.XXXXXX file_new
                   [0] f: fa_file         = [id=Fqrb1K5DWEfgy4WU2, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 697.004318 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=[filename=<uninitialized>], fuids=[FmFp351N5nhsMmAfQg]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
@@ -1269,13 +1257,13 @@ XXXXXXXXXX.XXXXXX smtp_data
                   [2] data: string       = xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1514, cap_len=1514, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1500, id=9551, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795847, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1514, cap_len=1514, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1500, id=9551, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60912, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795847, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 739.919662 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=[filename=<uninitialized>], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1500, id=9552, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126797307, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1500, id=9552, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60911, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126797307, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 739.919662 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=[filename=<uninitialized>], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -1841,13 +1829,13 @@ XXXXXXXXXX.XXXXXX smtp_data
                   [2] data: string       = <div class=3DSection1>
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1514, cap_len=1514, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1500, id=9552, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126797307, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1514, cap_len=1514, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1500, id=9552, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60911, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126797307, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=[filename=<uninitialized>], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1500, id=9553, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126798767, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1500, id=9553, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60910, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126798767, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=[filename=<uninitialized>], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -2060,12 +2048,6 @@ XXXXXXXXXX.XXXXXX mime_entity_data
 XXXXXXXXXX.XXXXXX mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=[filename=<uninitialized>], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = T
-
-XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_sniff
                   [0] f: fa_file         = [id=Fqrb1K5DWEfgy4WU2, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=Fqrb1K5DWEfgy4WU2, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]], inferred=T]
@@ -2074,15 +2056,6 @@ XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_state_remove
                   [0] f: fa_file         = [id=Fqrb1K5DWEfgy4WU2, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=Fqrb1K5DWEfgy4WU2, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.035156 usecs, local_orig=T, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-XXXXXXXXXX.XXXXXX event_queue_flush_point
-XXXXXXXXXX.XXXXXX Files::log_files
-                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=Fqrb1K5DWEfgy4WU2, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.035156 usecs, local_orig=T, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
-
 XXXXXXXXXX.XXXXXX mime_entity_data
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] length: count      = 0
@@ -2097,6 +2070,9 @@ XXXXXXXXXX.XXXXXX get_file_handle
                   [2] is_orig: bool      = T
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
+XXXXXXXXXX.XXXXXX Files::log_files
+                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=Fqrb1K5DWEfgy4WU2, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.035156 usecs, local_orig=T, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+
 XXXXXXXXXX.XXXXXX get_file_handle
                   [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 758.039474 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=4, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -2454,13 +2430,13 @@ XXXXXXXXXX.XXXXXX smtp_data
                   [2] data: string       = i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4,=20
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1514, cap_len=1514, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1500, id=9553, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126798767, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1514, cap_len=1514, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1500, id=9553, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60910, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126798767, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 776.874542 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1500, id=9554, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126800227, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1500, id=9554, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60909, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126800227, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 163.0 msecs 776.874542 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -2846,7 +2822,7 @@ XXXXXXXXXX.XXXXXX smtp_data
                   [2] data: string       = Options=20
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1514, cap_len=1514, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1500, id=9554, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126800227, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1514, cap_len=1514, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1500, id=9554, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60909, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126800227, ack=2934727550, hl=20, dl=1460, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
@@ -2855,7 +2831,7 @@ XXXXXXXXXX.XXXXXX new_connection
 
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=548, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=192, len=576, id=17689, ttl=63, p=1, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=192, len=576, id=17689, DF=F, MF=F, offset=0, ttl=63, p=1, sum=26413, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=548, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -2868,13 +2844,13 @@ XXXXXXXXXX.XXXXXX icmp_unreachable
                   [3] context: icmp_context = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], len=1500, proto=1, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=T]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=590, cap_len=590, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=192, len=576, id=17689, ttl=63, p=1, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=590, cap_len=590, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=192, len=576, id=17689, DF=F, MF=F, offset=0, ttl=63, p=1, sum=26413, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=13, num_bytes_ip=6518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 166.0 msecs 123.867035 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9555, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795847, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9555, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60916, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795847, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=13, num_bytes_ip=6518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 166.0 msecs 123.867035 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -2890,13 +2866,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = From: "Gurpartap Singh" <gurpartap@patriots.in>\x0d\x0aTo: <raj_deol2002in@yahoo.co.in>\x0d\x0aSubject: SMTP\x0d\x0aDate: Mon, 5 Oct 2009 11:36:07 +0530\x0d\x0aMessage-ID: <000301ca4581$ef9e57f0$cedb07d0$@in>\x0d\x0aMIME-Version: 1.0\x0d\x0aContent-Type: multipart/mixed;\x0d\x0a\x09boundary="----=_NextPart_000_0004_01CA45B0.095693F0"\x0d\x0aX-Mailer: Microsoft Office Outlook 12.0\x0d\x0aThread-Index: AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==\x0d\x0aContent-Language: en-us\x0d\x0ax-cr-hashedpuzzle: SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=\x0d\x0ax-cr-puzzleid: {CAA37F59-1850-45C7-8540-AA27696B5398}\x0d\x0a\x0d\x0aThis is a multipart message in MIME format.\x0d\x0a\x0d\x0a------=_NextPart_000_0004_01CA45B0.095693F0\x0d\x0aContent-Type: multipart/alternative;\x0d\x0a\x09boundary="----=_NextPart_001_0005_01CA45B0.095693F0"\x0d\x0a\x0d\x0a\x0d\x0a------=_NextPart_001_0005_01CA45B0.095693F0\x0d\x0aContent-Type: text/plain;\x0d\x0a\x09charset="us-ascii"\x0d\x0aContent-Transfer-Encoding: 7bit\x0d\x0a\x0d\x0aHello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a\x0d\x0a------=_NextPart_001_0005_01CA45B0.095693F0\x0d\x0aContent-Type: text/html;\x0d\x0a\x09charset="us-ascii"\x0d\x0aContent-Transfer-Encoding: quoted-printable\x0d\x0a\x0d\x0a<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =\x0d\x0axmlns:o=3D"urn:schemas-microsoft-com:office:office" =\x0d\x0axmlns:w=3D"urn:schemas
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9555, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795847, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9555, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60916, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126795847, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=1096, state=1, num_pkts=1, num_bytes_ip=576, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=XXXXXXXXXX.XXXXXX, duration=507.831573 usecs, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=192, len=576, id=17690, ttl=63, p=1, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=192, len=576, id=17690, DF=F, MF=F, offset=0, ttl=63, p=1, sum=26412, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=1096, state=1, num_pkts=1, num_bytes_ip=576, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=XXXXXXXXXX.XXXXXX, duration=507.831573 usecs, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -2909,13 +2885,13 @@ XXXXXXXXXX.XXXXXX icmp_unreachable
                   [3] context: icmp_context = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], len=1500, proto=1, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=T]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=590, cap_len=590, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=192, len=576, id=17690, ttl=63, p=1, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=590, cap_len=590, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=192, len=576, id=17690, DF=F, MF=F, offset=0, ttl=63, p=1, sum=26412, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=1644, state=1, num_pkts=2, num_bytes_ip=1152, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 132.965088 usecs, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=192, len=576, id=17691, ttl=63, p=1, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=192, len=576, id=17691, DF=F, MF=F, offset=0, ttl=63, p=1, sum=26411, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=1644, state=1, num_pkts=2, num_bytes_ip=1152, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 132.965088 usecs, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -2928,13 +2904,13 @@ XXXXXXXXXX.XXXXXX icmp_unreachable
                   [3] context: icmp_context = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], len=1500, proto=1, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=T]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=590, cap_len=590, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=192, len=576, id=17691, ttl=63, p=1, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=590, cap_len=590, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=192, len=576, id=17691, DF=F, MF=F, offset=0, ttl=63, p=1, sum=26411, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=3, num_bytes_ip=1728, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 518.964767 usecs, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=192, len=576, id=17692, ttl=63, p=1, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=192, len=576, id=17692, DF=F, MF=F, offset=0, ttl=63, p=1, sum=26410, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=3, num_bytes_ip=1728, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 518.964767 usecs, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -2947,13 +2923,13 @@ XXXXXXXXXX.XXXXXX icmp_unreachable
                   [3] context: icmp_context = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], len=1500, proto=1, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=T]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=590, cap_len=590, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=192, len=576, id=17692, ttl=63, p=1, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=590, cap_len=590, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=192, len=576, id=17692, DF=F, MF=F, offset=0, ttl=63, p=1, sum=26410, src=192.168.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=3]]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=14, num_bytes_ip=8010, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 575.0 msecs 894.832611 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8683, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126797299, hl=20, dl=0, reserved=0, flags=16, win=8712], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8683, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17577, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126797299, hl=20, dl=0, reserved=0, flags=16, win=8712], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=14, num_bytes_ip=8010, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 575.0 msecs 894.832611 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -2965,13 +2941,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8683, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126797299, hl=20, dl=0, reserved=0, flags=16, win=8712], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8683, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17577, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126797299, hl=20, dl=0, reserved=0, flags=16, win=8712], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=14, num_bytes_ip=8010, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=11, num_bytes_ip=910, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 575.0 msecs 925.827026 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9556, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126797299, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9556, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60915, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126797299, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=14, num_bytes_ip=8010, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=11, num_bytes_ip=910, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 575.0 msecs 925.827026 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -2987,13 +2963,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = -microsoft-com:office:word" =\x0d\x0axmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =\x0d\x0axmlns=3D"http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =\x0d\x0acharset=3Dus-ascii">\x0d\x0a<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a..MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext=3D"edit">\x0d\x0a  <o:idmap v:ext=3D"edit" data=3D"1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=3DEN-US link=3Dblue vlink=3Dpurple>\x0d\x0a\x0d\x0a<div cl
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9556, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126797299, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9556, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60915, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126797299, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=15, num_bytes_ip=9502, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=11, num_bytes_ip=910, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 575.0 msecs 952.05307 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9557, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126798751, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9557, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60914, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126798751, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=15, num_bytes_ip=9502, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=11, num_bytes_ip=910, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 575.0 msecs 952.05307 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -3009,13 +2985,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = ass=3DSection1>\x0d\x0a\x0d\x0a<p class=3DMsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=3DMsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=3DMsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=3DMsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a------=_NextPart_001_0005_01CA45B0.095693F0--\x0d\x0a\x0d\x0a------=_NextPart_000_0004_01CA45B0.095693F0\x0d\x0aContent-Type: text/plain;\x0d\x0a\x09name="NEWS.txt"\x0d\x0aContent-Transfer-Encoding: quoted-printable\x0d\x0aContent-Disposition: attachment;\x0d\x0a\x09filename="NEWS.txt"\x0d\x0a\x0d\x0aVersion 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when =\x0d\x0ait is needed\x0d\x0a* Added new compiler/linker options:=20\x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, =\x0d\x0ai686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9557, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126798751, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9557, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60914, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126798751, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=16, num_bytes_ip=10994, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=11, num_bytes_ip=910, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 940.0 msecs 676.927567 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8684, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126798751, hl=20, dl=0, reserved=0, flags=16, win=11616], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8684, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17576, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126798751, hl=20, dl=0, reserved=0, flags=16, win=11616], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=16, num_bytes_ip=10994, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=11, num_bytes_ip=910, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 940.0 msecs 676.927567 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -3027,14 +3003,14 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8684, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126798751, hl=20, dl=0, reserved=0, flags=16, win=11616], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8684, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17576, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126798751, hl=20, dl=0, reserved=0, flags=16, win=11616], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=16, num_bytes_ip=10994, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 940.0 msecs 712.928772 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9558, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126800203, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9558, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60913, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126800203, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=16, num_bytes_ip=10994, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 940.0 msecs 712.928772 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -3050,7 +3026,7 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = ,=20\x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, =\x0d\x0aathlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, =\x0d\x0asse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during =\x0d\x0adebugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose =\x0d\x0abetween using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code =\x0d\x0acompletion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages =\x0d\x0adirectory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of =\x0d\x0aall the standard=20\x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile.=20\x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment =\x0d\x0aOptions=20\x0d\x0a  (sti
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9558, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126800203, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9558, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60913, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126800203, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -3059,7 +3035,7 @@ XXXXXXXXXX.XXXXXX load_sample
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=7410, state=4, num_pkts=17, num_bytes_ip=12486, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 940.0 msecs 768.003464 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9559, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126801655, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9559, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60912, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126801655, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=7410, state=4, num_pkts=17, num_bytes_ip=12486, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 940.0 msecs 768.003464 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -3585,13 +3561,13 @@ XXXXXXXXXX.XXXXXX smtp_data
                   [2] data: string       = * Added "Open with" in project units context menu
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9559, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126801655, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9559, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60912, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126801655, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=7410, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 965.0 msecs 121.030807 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8685, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126800203, hl=20, dl=0, reserved=0, flags=16, win=14520], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8685, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17575, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126800203, hl=20, dl=0, reserved=0, flags=16, win=14520], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=7410, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 965.0 msecs 121.030807 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -3603,13 +3579,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8685, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126800203, hl=20, dl=0, reserved=0, flags=16, win=14520], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8685, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17575, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126800203, hl=20, dl=0, reserved=0, flags=16, win=14520], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 965.0 msecs 134.859085 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9560, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126803107, ack=2934727550, hl=20, dl=1452, reserved=0, flags=24, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9560, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60911, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126803107, ack=2934727550, hl=20, dl=1452, reserved=0, flags=24, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 965.0 msecs 134.859085 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -4030,14 +4006,14 @@ XXXXXXXXXX.XXXXXX smtp_data
                   [2] data: string       = * Added two new macros: <DATE> and <DATETIME>
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9560, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126803107, ack=2934727550, hl=20, dl=1452, reserved=0, flags=24, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9560, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60911, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126803107, ack=2934727550, hl=20, dl=1452, reserved=0, flags=24, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=10314, state=4, num_pkts=19, num_bytes_ip=15470, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 965.0 msecs 152.978897 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9561, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126804559, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9561, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60910, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126804559, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=10314, state=4, num_pkts=19, num_bytes_ip=15470, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 secs 965.0 msecs 152.978897 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -4433,7 +4409,7 @@ XXXXXXXXXX.XXXXXX smtp_data
                   [2] data: string       = * New class browser option: "Show inherited members"
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9561, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126804559, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9561, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60910, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126804559, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -4444,7 +4420,7 @@ XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=10314, state=4, num_pkts=20, num_bytes_ip=16962, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 305.0 msecs 548.906326 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8686, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126801655, hl=20, dl=0, reserved=0, flags=16, win=17424], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8686, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17574, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126801655, hl=20, dl=0, reserved=0, flags=16, win=17424], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=10314, state=4, num_pkts=20, num_bytes_ip=16962, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 305.0 msecs 548.906326 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -4456,7 +4432,7 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8686, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126801655, hl=20, dl=0, reserved=0, flags=16, win=17424], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8686, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17574, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126801655, hl=20, dl=0, reserved=0, flags=16, win=17424], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -4465,7 +4441,7 @@ XXXXXXXXXX.XXXXXX load_sample
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=11766, state=4, num_pkts=20, num_bytes_ip=16962, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 305.0 msecs 582.046509 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9562, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126806011, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9562, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60909, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126806011, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=11766, state=4, num_pkts=20, num_bytes_ip=16962, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 305.0 msecs 582.046509 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -4991,13 +4967,13 @@ XXXXXXXXXX.XXXXXX smtp_data
                   [2] data: string       = giving the
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9562, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126806011, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9562, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60909, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126806011, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 305.0 msecs 608.987808 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9563, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126807463, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9563, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60908, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126807463, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 305.0 msecs 608.987808 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -5353,13 +5329,13 @@ XXXXXXXXXX.XXXXXX smtp_data
                   [2] data: string       = * Added new WebUpdate module (inactive temporarily).
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9563, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126807463, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9563, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60908, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126807463, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=22, num_bytes_ip=19946, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 254.865646 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8687, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126803107, hl=20, dl=0, reserved=0, flags=16, win=20328], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8687, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17573, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126803107, hl=20, dl=0, reserved=0, flags=16, win=20328], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=22, num_bytes_ip=19946, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 254.865646 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -5371,13 +5347,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8687, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126803107, hl=20, dl=0, reserved=0, flags=16, win=20328], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8687, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17573, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126803107, hl=20, dl=0, reserved=0, flags=16, win=20328], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14670, state=4, num_pkts=22, num_bytes_ip=19946, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 269.886017 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9564, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126808915, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1492, id=9564, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60907, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126808915, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14670, state=4, num_pkts=22, num_bytes_ip=19946, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 269.886017 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -5833,13 +5809,13 @@ XXXXXXXXXX.XXXXXX smtp_data
                   [2] data: string       = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9564, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126808915, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1506, cap_len=1506, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1492, id=9564, DF=T, MF=F, offset=0, ttl=128, p=6, sum=60907, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126808915, ack=2934727550, hl=20, dl=1452, reserved=0, flags=16, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=69, id=9565, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810367, ack=2934727550, hl=20, dl=29, reserved=0, flags=24, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=69, id=9565, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62329, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810367, ack=2934727550, hl=20, dl=29, reserved=0, flags=24, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -5862,24 +5838,9 @@ XXXXXXXXXX.XXXXXX mime_entity_data
 XXXXXXXXXX.XXXXXX mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=[filename=NEWS.txt], fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = T
-
-XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_state_remove
                   [0] f: fa_file         = [id=FEFYSd1s8Onn9LynKj, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=XXXXXXXXXX.XXXXXX, fuid=FEFYSd1s8Onn9LynKj, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.819611 usecs, local_orig=T, is_orig=T, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-XXXXXXXXXX.XXXXXX event_queue_flush_point
-XXXXXXXXXX.XXXXXX Files::log_files
-                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=FEFYSd1s8Onn9LynKj, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=1.0 sec 165.0 msecs 511.846542 usecs, local_orig=T, is_orig=T, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
-
 XXXXXXXXXX.XXXXXX mime_entity_data
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] length: count      = 0
@@ -5894,6 +5855,9 @@ XXXXXXXXXX.XXXXXX get_file_handle
                   [2] is_orig: bool      = T
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
+XXXXXXXXXX.XXXXXX Files::log_files
+                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=FEFYSd1s8Onn9LynKj, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=1.0 sec 165.0 msecs 511.846542 usecs, local_orig=T, is_orig=T, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+
 XXXXXXXXXX.XXXXXX get_file_handle
                   [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -5939,13 +5903,13 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = .
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=83, cap_len=83, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=69, id=9565, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810367, ack=2934727550, hl=20, dl=29, reserved=0, flags=24, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=83, cap_len=83, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=69, id=9565, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62329, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810367, ack=2934727550, hl=20, dl=29, reserved=0, flags=24, win=65073], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 352.0 msecs 176.904678 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8688, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126804559, hl=20, dl=0, reserved=0, flags=16, win=23232], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8688, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17572, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126804559, hl=20, dl=0, reserved=0, flags=16, win=23232], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 352.0 msecs 176.904678 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -5957,13 +5921,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8688, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126804559, hl=20, dl=0, reserved=0, flags=16, win=23232], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8688, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17572, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126804559, hl=20, dl=0, reserved=0, flags=16, win=23232], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=16, num_bytes_ip=1110, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 376.0 msecs 536.846161 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8689, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126806011, hl=20, dl=0, reserved=0, flags=16, win=26136], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8689, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17571, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126806011, hl=20, dl=0, reserved=0, flags=16, win=26136], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=16, num_bytes_ip=1110, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 376.0 msecs 536.846161 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -5975,13 +5939,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8689, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126806011, hl=20, dl=0, reserved=0, flags=16, win=26136], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8689, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17571, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126806011, hl=20, dl=0, reserved=0, flags=16, win=26136], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=17, num_bytes_ip=1150, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 671.0 msecs 133.041382 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8690, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126807463, hl=20, dl=0, reserved=0, flags=16, win=29040], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8690, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17570, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126807463, hl=20, dl=0, reserved=0, flags=16, win=29040], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=17, num_bytes_ip=1150, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 671.0 msecs 133.041382 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -5993,13 +5957,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8690, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126807463, hl=20, dl=0, reserved=0, flags=16, win=29040], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8690, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17570, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126807463, hl=20, dl=0, reserved=0, flags=16, win=29040], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=18, num_bytes_ip=1190, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 693.0 msecs 699.836731 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8691, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126808915, hl=20, dl=0, reserved=0, flags=16, win=31944], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8691, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17569, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126808915, hl=20, dl=0, reserved=0, flags=16, win=31944], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=18, num_bytes_ip=1190, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 693.0 msecs 699.836731 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6011,13 +5975,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8691, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126808915, hl=20, dl=0, reserved=0, flags=16, win=31944], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8691, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17569, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126808915, hl=20, dl=0, reserved=0, flags=16, win=31944], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=19, num_bytes_ip=1230, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 717.0 msecs 797.994614 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8692, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810367, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8692, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17568, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810367, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=19, num_bytes_ip=1230, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 717.0 msecs 797.994614 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6029,13 +5993,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8692, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810367, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8692, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17568, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810367, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=20, num_bytes_ip=1270, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 719.0 msecs 244.95697 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8693, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810396, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8693, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17567, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810396, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=20, num_bytes_ip=1270, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 719.0 msecs 244.95697 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6047,13 +6011,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8693, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810396, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8693, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17567, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810396, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 719.0 msecs 743.013382 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=68, id=8694, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810396, hl=20, dl=28, reserved=0, flags=24, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=68, id=8694, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17538, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810396, hl=20, dl=28, reserved=0, flags=24, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 719.0 msecs 743.013382 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=F, entity_count=5, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6077,7 +6041,7 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=82, cap_len=82, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=68, id=8694, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810396, hl=20, dl=28, reserved=0, flags=24, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=82, cap_len=82, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=68, id=8694, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17538, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727550, ack=2126810396, hl=20, dl=28, reserved=0, flags=24, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX SMTP::log_smtp
@@ -6086,7 +6050,7 @@ XXXXXXXXXX.XXXXXX SMTP::log_smtp
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 858.0 msecs 548.879623 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=9568, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810396, ack=2934727578, hl=20, dl=0, reserved=0, flags=16, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=9568, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62355, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810396, ack=2934727578, hl=20, dl=0, reserved=0, flags=16, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 secs 858.0 msecs 548.879623 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6098,14 +6062,14 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=9568, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810396, ack=2934727578, hl=20, dl=0, reserved=0, flags=16, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=9568, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62355, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810396, ack=2934727578, hl=20, dl=0, reserved=0, flags=16, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 234.0 msecs 778.881073 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=46, id=9573, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810396, ack=2934727578, hl=20, dl=6, reserved=0, flags=24, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=46, id=9573, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62344, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810396, ack=2934727578, hl=20, dl=6, reserved=0, flags=24, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 234.0 msecs 778.881073 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6127,13 +6091,13 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=46, id=9573, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810396, ack=2934727578, hl=20, dl=6, reserved=0, flags=24, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=46, id=9573, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62344, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810396, ack=2934727578, hl=20, dl=6, reserved=0, flags=24, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=26, num_bytes_ip=21593, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 235.0 msecs 529.899597 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=9574, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810402, ack=2934727578, hl=20, dl=0, reserved=0, flags=17, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=9574, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62349, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810402, ack=2934727578, hl=20, dl=0, reserved=0, flags=17, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=26, num_bytes_ip=21593, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 235.0 msecs 529.899597 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6149,14 +6113,14 @@ XXXXXXXXXX.XXXXXX connection_EOF
                   [1] is_orig: bool      = T
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=9574, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810402, ack=2934727578, hl=20, dl=0, reserved=0, flags=17, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=9574, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62349, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810402, ack=2934727578, hl=20, dl=0, reserved=0, flags=17, win=65045], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 576.0 msecs 421.022415 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=88, id=8695, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727578, ack=2126810402, hl=20, dl=48, reserved=0, flags=24, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=88, id=8695, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17517, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727578, ack=2126810402, hl=20, dl=48, reserved=0, flags=24, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 576.0 msecs 421.022415 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6180,7 +6144,7 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=102, cap_len=102, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=88, id=8695, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727578, ack=2126810402, hl=20, dl=48, reserved=0, flags=24, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=102, cap_len=102, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=88, id=8695, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17517, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727578, ack=2126810402, hl=20, dl=48, reserved=0, flags=24, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -6189,7 +6153,7 @@ XXXXXXXXXX.XXXXXX load_sample
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=23, num_bytes_ip=1466, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 576.0 msecs 952.934265 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8696, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727626, ack=2126810402, hl=20, dl=0, reserved=0, flags=17, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8696, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17564, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727626, ack=2126810402, hl=20, dl=0, reserved=0, flags=17, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=23, num_bytes_ip=1466, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 576.0 msecs 952.934265 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6208,13 +6172,13 @@ XXXXXXXXXX.XXXXXX connection_finished
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=23, num_bytes_ip=1466, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 576.0 msecs 952.934265 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8696, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727626, ack=2126810402, hl=20, dl=0, reserved=0, flags=17, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8696, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17564, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727626, ack=2126810402, hl=20, dl=0, reserved=0, flags=17, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=24, num_bytes_ip=1506, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 576.0 msecs 952.934265 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=9577, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810403, ack=2934727627, hl=20, dl=0, reserved=0, flags=16, win=64997], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=9577, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62346, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810403, ack=2934727627, hl=20, dl=0, reserved=0, flags=16, win=64997], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=24, num_bytes_ip=1506, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 576.0 msecs 952.934265 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6226,13 +6190,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=9577, ttl=128, p=6, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810403, ack=2934727627, hl=20, dl=0, reserved=0, flags=16, win=64997], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=00:e0:1c:3c:17:c2, dst=00:1f:33:d9:81:60, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=9577, DF=T, MF=F, offset=0, ttl=128, p=6, sum=62346, src=10.10.1.4, dst=74.53.140.153], ip6=<uninitialized>, tcp=[sport=1470/tcp, dport=25/tcp, seq=2126810403, ack=2934727627, hl=20, dl=0, reserved=0, flags=16, win=64997], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=24, num_bytes_ip=1506, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 576.0 msecs 952.934265 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8697, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727627, ack=2126810403, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=96, len=40, id=8697, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17563, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727627, ack=2126810403, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=24, num_bytes_ip=1506, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 secs 576.0 msecs 952.934265 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=7, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6244,7 +6208,7 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8697, ttl=50, p=6, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727627, ack=2126810403, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=00:1f:33:d9:81:60, dst=00:e0:1c:3c:17:c2, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=96, len=40, id=8697, DF=T, MF=F, offset=0, ttl=50, p=6, sum=17563, src=74.53.140.153, dst=10.10.1.4], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=1470/tcp, seq=2934727627, ack=2126810403, hl=20, dl=0, reserved=0, flags=16, win=34848], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
@@ -6254,7 +6218,7 @@ XXXXXXXXXX.XXXXXX new_connection
 
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=229, id=13949, ttl=128, p=17, src=10.10.1.20, dst=10.10.1.255], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=138/udp, dport=138/udp, ulen=209], icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=229, id=13949, DF=F, MF=F, offset=0, ttl=128, p=17, sum=60516, src=10.10.1.20, dst=10.10.1.255], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=138/udp, dport=138/udp, ulen=209], icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6264,7 +6228,7 @@ XXXXXXXXXX.XXXXXX udp_request
                   [0] u: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=243, cap_len=243, src=00:02:3f:ec:61:11, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=229, id=13949, ttl=128, p=17, src=10.10.1.20, dst=10.10.1.255], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=138/udp, dport=138/udp, ulen=209], icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=243, cap_len=243, src=00:02:3f:ec:61:11, dst=ff:ff:ff:ff:ff:ff, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=229, id=13949, DF=F, MF=F, offset=0, ttl=128, p=17, sum=60516, src=10.10.1.20, dst=10.10.1.255], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=138/udp, dport=138/udp, ulen=209], icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
@@ -6307,7 +6271,7 @@ XXXXXXXXXX.XXXXXX new_connection
 
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=93, id=11069, ttl=64, p=6, src=192.168.133.100, dst=66.196.121.26], ip6=<uninitialized>, tcp=[sport=49285/tcp, dport=5050/tcp, seq=3102346460, ack=957174106, hl=32, dl=41, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=93, id=11069, DF=T, MF=F, offset=0, ttl=64, p=6, sum=3443, src=192.168.133.100, dst=66.196.121.26], ip6=<uninitialized>, tcp=[sport=49285/tcp, dport=5050/tcp, seq=3102346460, ack=957174106, hl=32, dl=41, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6346,7 +6310,7 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403023531, echo_timestamp=4275162075, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=107, cap_len=107, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=93, id=11069, ttl=64, p=6, src=192.168.133.100, dst=66.196.121.26], ip6=<uninitialized>, tcp=[sport=49285/tcp, dport=5050/tcp, seq=3102346460, ack=957174106, hl=32, dl=41, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=107, cap_len=107, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=93, id=11069, DF=T, MF=F, offset=0, ttl=64, p=6, sum=3443, src=192.168.133.100, dst=66.196.121.26], ip6=<uninitialized>, tcp=[sport=49285/tcp, dport=5050/tcp, seq=3102346460, ack=957174106, hl=32, dl=41, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX Conn::log_conn
@@ -6364,7 +6328,7 @@ XXXXXXXXXX.XXXXXX Conn::log_conn
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=343.0 msecs 8.041382 usecs, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=16082, ttl=52, p=6, src=66.196.121.26, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=5050/tcp, dport=49285/tcp, seq=957174106, ack=3102346501, hl=32, dl=0, reserved=0, flags=16, win=8280], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=16082, DF=T, MF=F, offset=0, ttl=52, p=6, sum=1543, src=66.196.121.26, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=5050/tcp, dport=49285/tcp, seq=957174106, ack=3102346501, hl=32, dl=0, reserved=0, flags=16, win=8280], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX partial_connection
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=343.0 msecs 8.041382 usecs, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6402,7 +6366,7 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=4275222705, echo_timestamp=403023531, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=16082, ttl=52, p=6, src=66.196.121.26, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=5050/tcp, dport=49285/tcp, seq=957174106, ack=3102346501, hl=32, dl=0, reserved=0, flags=16, win=8280], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=16082, DF=T, MF=F, offset=0, ttl=52, p=6, sum=1543, src=66.196.121.26, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=5050/tcp, dport=49285/tcp, seq=957174106, ack=3102346501, hl=32, dl=0, reserved=0, flags=16, win=8280], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
@@ -6416,7 +6380,7 @@ XXXXXXXXXX.XXXXXX new_connection
 
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=S, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=64, id=43466, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465340, ack=0, hl=44, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=64, id=43466, DF=T, MF=F, offset=0, ttl=64, p=6, sum=1234, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465340, ack=0, hl=44, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_SYN_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=S, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6485,13 +6449,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=2, length=4, data=<uninitialized>, mss=1460, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=3, length=3, data=<uninitialized>, mss=<uninitialized>, window_scale=5, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034601, echo_timestamp=0, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=4, length=2, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=0, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=43466, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465340, ack=0, hl=44, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=43466, DF=T, MF=F, offset=0, ttl=64, p=6, sum=1234, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465340, ack=0, hl=44, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 msecs 707.098007 usecs, service={\x0a\x0a}, history=Sh, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=0, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788254, ack=3976465341, hl=40, dl=0, reserved=0, flags=18, win=28960], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=0, DF=T, MF=F, offset=0, ttl=64, p=6, sum=44704, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788254, ack=3976465341, hl=40, dl=0, reserved=0, flags=18, win=28960], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_SYN_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 msecs 707.098007 usecs, service={\x0a\x0a}, history=Sh, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6545,13 +6509,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=2, length=4, data=<uninitialized>, mss=1460, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=4, length=2, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=84163, echo_timestamp=403034601, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=3, length=3, data=<uninitialized>, mss=<uninitialized>, window_scale=7, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=0, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788254, ack=3976465341, hl=40, dl=0, reserved=0, flags=18, win=28960], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=0, DF=T, MF=F, offset=0, ttl=64, p=6, sum=44704, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788254, ack=3976465341, hl=40, dl=0, reserved=0, flags=18, win=28960], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 msecs 828.929901 usecs, service={\x0a\x0a}, history=ShA, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=35904, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788255, hl=32, dl=0, reserved=0, flags=16, win=4117], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=35904, DF=T, MF=F, offset=0, ttl=64, p=6, sum=8808, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788255, hl=32, dl=0, reserved=0, flags=16, win=4117], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_first_ACK
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=4.0 msecs 828.929901 usecs, service={\x0a\x0a}, history=ShA, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6589,13 +6553,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034617, echo_timestamp=84163, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=35904, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788255, hl=32, dl=0, reserved=0, flags=16, win=4117], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=35904, DF=T, MF=F, offset=0, ttl=64, p=6, sum=8808, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788255, hl=32, dl=0, reserved=0, flags=16, win=4117], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=10.0 msecs 246.992111 usecs, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=87, id=51483, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788255, ack=3976465341, hl=32, dl=35, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=87, id=51483, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58729, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788255, ack=3976465341, hl=32, dl=35, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=10.0 msecs 246.992111 usecs, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6642,14 +6606,14 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=101, cap_len=101, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=87, id=51483, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788255, ack=3976465341, hl=32, dl=35, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=101, cap_len=101, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=87, id=51483, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58729, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788255, ack=3976465341, hl=32, dl=35, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=10.0 msecs 360.002518 usecs, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=57836, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788290, hl=32, dl=0, reserved=0, flags=16, win=4116], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=57836, DF=T, MF=F, offset=0, ttl=64, p=6, sum=52411, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788290, hl=32, dl=0, reserved=0, flags=16, win=4116], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=10.0 msecs 360.002518 usecs, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6684,7 +6648,7 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034622, echo_timestamp=84165, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=57836, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788290, hl=32, dl=0, reserved=0, flags=16, win=4116], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=57836, DF=T, MF=F, offset=0, ttl=64, p=6, sum=52411, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788290, hl=32, dl=0, reserved=0, flags=16, win=4116], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -6693,7 +6657,7 @@ XXXXXXXXXX.XXXXXX load_sample
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 411.056519 usecs, service={\x0a\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=76, id=6370, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788290, hl=32, dl=24, reserved=0, flags=24, win=4116], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=76, id=6370, DF=T, MF=F, offset=0, ttl=64, p=6, sum=38318, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788290, hl=32, dl=24, reserved=0, flags=24, win=4116], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 411.056519 usecs, service={\x0a\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6747,13 +6711,13 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = [192.168.133.100]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=90, cap_len=90, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=76, id=6370, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788290, hl=32, dl=24, reserved=0, flags=24, win=4116], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=90, cap_len=90, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=76, id=6370, DF=T, MF=F, offset=0, ttl=64, p=6, sum=38318, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465341, ack=2131788290, hl=32, dl=24, reserved=0, flags=24, win=4116], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=28.0 msecs 74.026108 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=51484, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788290, ack=3976465365, hl=32, dl=0, reserved=0, flags=16, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=51484, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58763, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788290, ack=3976465365, hl=32, dl=0, reserved=0, flags=16, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=28.0 msecs 74.026108 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6788,13 +6752,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=84170, echo_timestamp=403034638, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=51484, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788290, ack=3976465365, hl=32, dl=0, reserved=0, flags=16, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=51484, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58763, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788290, ack=3976465365, hl=32, dl=0, reserved=0, flags=16, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=102, id=51485, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788290, ack=3976465365, hl=32, dl=50, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=102, id=51485, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58712, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788290, ack=3976465365, hl=32, dl=50, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6865,13 +6829,13 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=116, cap_len=116, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=102, id=51485, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788290, ack=3976465365, hl=32, dl=50, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=116, cap_len=116, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=102, id=51485, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58712, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788290, ack=3976465365, hl=32, dl=50, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=29.0 msecs 474.020004 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=18318, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465365, ack=2131788340, hl=32, dl=0, reserved=0, flags=16, win=4115], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=18318, DF=T, MF=F, offset=0, ttl=64, p=6, sum=26394, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465365, ack=2131788340, hl=32, dl=0, reserved=0, flags=16, win=4115], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=29.0 msecs 474.020004 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6906,13 +6870,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034640, echo_timestamp=84170, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=18318, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465365, ack=2131788340, hl=32, dl=0, reserved=0, flags=16, win=4115], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=18318, DF=T, MF=F, offset=0, ttl=64, p=6, sum=26394, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465365, ack=2131788340, hl=32, dl=0, reserved=0, flags=16, win=4115], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=30.0 msecs 136.108398 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=84, id=219, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465365, ack=2131788340, hl=32, dl=32, reserved=0, flags=24, win=4115], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=84, id=219, DF=T, MF=F, offset=0, ttl=64, p=6, sum=44461, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465365, ack=2131788340, hl=32, dl=32, reserved=0, flags=24, win=4115], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=30.0 msecs 136.108398 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -6957,13 +6921,13 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = FROM:<albert@example.com>
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=98, cap_len=98, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=84, id=219, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465365, ack=2131788340, hl=32, dl=32, reserved=0, flags=24, win=4115], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=98, cap_len=98, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=84, id=219, DF=T, MF=F, offset=0, ttl=64, p=6, sum=44461, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465365, ack=2131788340, hl=32, dl=32, reserved=0, flags=24, win=4115], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=32.0 msecs 890.081406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=51486, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788340, ack=3976465397, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=51486, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58753, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788340, ack=3976465397, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=32.0 msecs 890.081406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7010,13 +6974,13 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=51486, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788340, ack=3976465397, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=51486, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58753, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788340, ack=3976465397, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=32.0 msecs 967.090607 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=60334, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465397, ack=2131788348, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=60334, DF=T, MF=F, offset=0, ttl=64, p=6, sum=49913, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465397, ack=2131788348, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=32.0 msecs 967.090607 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7051,13 +7015,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034643, echo_timestamp=84171, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=60334, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465397, ack=2131788348, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=60334, DF=T, MF=F, offset=0, ttl=64, p=6, sum=49913, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465397, ack=2131788348, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=33.0 msecs 337.116241 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=84, id=21859, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465397, ack=2131788348, hl=32, dl=32, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=84, id=21859, DF=T, MF=F, offset=0, ttl=64, p=6, sum=22821, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465397, ack=2131788348, hl=32, dl=32, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=33.0 msecs 337.116241 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7102,13 +7066,13 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = TO:<ericlim220@yahoo.com>
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=98, cap_len=98, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=84, id=21859, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465397, ack=2131788348, hl=32, dl=32, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=98, cap_len=98, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=84, id=21859, DF=T, MF=F, offset=0, ttl=64, p=6, sum=22821, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465397, ack=2131788348, hl=32, dl=32, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=36.0 msecs 91.089249 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=51487, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788348, ack=3976465429, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=51487, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58752, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788348, ack=3976465429, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=36.0 msecs 91.089249 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7155,13 +7119,13 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=51487, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788348, ack=3976465429, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=51487, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58752, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788348, ack=3976465429, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=36.0 msecs 160.945892 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=32869, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465429, ack=2131788356, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=32869, DF=T, MF=F, offset=0, ttl=64, p=6, sum=11843, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465429, ack=2131788356, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=36.0 msecs 160.945892 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7196,13 +7160,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034646, echo_timestamp=84172, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=32869, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465429, ack=2131788356, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=32869, DF=T, MF=F, offset=0, ttl=64, p=6, sum=11843, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465429, ack=2131788356, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=36.0 msecs 692.142487 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=85, id=31729, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465429, ack=2131788356, hl=32, dl=33, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=85, id=31729, DF=T, MF=F, offset=0, ttl=64, p=6, sum=12950, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465429, ack=2131788356, hl=32, dl=33, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=36.0 msecs 692.142487 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7247,13 +7211,13 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = TO:<felica4uu@hotmail.com>
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=99, cap_len=99, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=85, id=31729, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465429, ack=2131788356, hl=32, dl=33, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=99, cap_len=99, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=85, id=31729, DF=T, MF=F, offset=0, ttl=64, p=6, sum=12950, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465429, ack=2131788356, hl=32, dl=33, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=40.0 msecs 729.045868 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=51488, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788356, ack=3976465462, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=51488, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58751, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788356, ack=3976465462, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=40.0 msecs 729.045868 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7300,13 +7264,13 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=51488, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788356, ack=3976465462, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=51488, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58751, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788356, ack=3976465462, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=40.0 msecs 825.128555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=32087, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465462, ack=2131788364, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=32087, DF=T, MF=F, offset=0, ttl=64, p=6, sum=12625, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465462, ack=2131788364, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=40.0 msecs 825.128555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7341,13 +7305,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034650, echo_timestamp=84173, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=32087, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465462, ack=2131788364, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=32087, DF=T, MF=F, offset=0, ttl=64, p=6, sum=12625, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465462, ack=2131788364, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=41.0 msecs 517.972946 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=87, id=49663, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465462, ack=2131788364, hl=32, dl=35, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=87, id=49663, DF=T, MF=F, offset=0, ttl=64, p=6, sum=60549, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465462, ack=2131788364, hl=32, dl=35, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=41.0 msecs 517.972946 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7392,13 +7356,13 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = TO:<davis_mark1@outlook.com>
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=101, cap_len=101, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=87, id=49663, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465462, ack=2131788364, hl=32, dl=35, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=101, cap_len=101, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=87, id=49663, DF=T, MF=F, offset=0, ttl=64, p=6, sum=60549, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465462, ack=2131788364, hl=32, dl=35, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=44.0 msecs 173.955917 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=51489, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788364, ack=3976465497, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=51489, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58750, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788364, ack=3976465497, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=44.0 msecs 173.955917 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7445,13 +7409,13 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=51489, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788364, ack=3976465497, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=51489, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58750, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788364, ack=3976465497, hl=32, dl=8, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=44.0 msecs 253.110886 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=31709, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465497, ack=2131788372, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=31709, DF=T, MF=F, offset=0, ttl=64, p=6, sum=13003, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465497, ack=2131788372, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=44.0 msecs 253.110886 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7486,13 +7450,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034653, echo_timestamp=84174, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=31709, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465497, ack=2131788372, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=31709, DF=T, MF=F, offset=0, ttl=64, p=6, sum=13003, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465497, ack=2131788372, hl=32, dl=0, reserved=0, flags=16, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=44.0 msecs 801.950455 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=58, id=10610, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465497, ack=2131788372, hl=32, dl=6, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=58, id=10610, DF=T, MF=F, offset=0, ttl=64, p=6, sum=34096, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465497, ack=2131788372, hl=32, dl=6, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=44.0 msecs 801.950455 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7540,13 +7504,13 @@ XXXXXXXXXX.XXXXXX mime_begin_entity
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=44.0 msecs 801.950455 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=72, cap_len=72, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=58, id=10610, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465497, ack=2131788372, hl=32, dl=6, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=72, cap_len=72, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=58, id=10610, DF=T, MF=F, offset=0, ttl=64, p=6, sum=34096, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465497, ack=2131788372, hl=32, dl=6, reserved=0, flags=24, win=4114], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=47.0 msecs 863.006592 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=89, id=51490, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788372, ack=3976465503, hl=32, dl=37, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=89, id=51490, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58720, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788372, ack=3976465503, hl=32, dl=37, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=47.0 msecs 863.006592 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7593,13 +7557,13 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=103, cap_len=103, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=89, id=51490, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788372, ack=3976465503, hl=32, dl=37, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=103, cap_len=103, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=89, id=51490, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58720, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788372, ack=3976465503, hl=32, dl=37, reserved=0, flags=24, win=227], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 43.012619 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=14746, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465503, ack=2131788409, hl=32, dl=0, reserved=0, flags=16, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=14746, DF=T, MF=F, offset=0, ttl=64, p=6, sum=29966, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465503, ack=2131788409, hl=32, dl=0, reserved=0, flags=16, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 43.012619 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7634,13 +7598,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034656, echo_timestamp=84175, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=14746, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465503, ack=2131788409, hl=32, dl=0, reserved=0, flags=16, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=14746, DF=T, MF=F, offset=0, ttl=64, p=6, sum=29966, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465503, ack=2131788409, hl=32, dl=0, reserved=0, flags=16, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=859, id=49517, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465503, ack=2131788409, hl=32, dl=807, reserved=0, flags=24, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=859, id=49517, DF=T, MF=F, offset=0, ttl=64, p=6, sum=59923, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465503, ack=2131788409, hl=32, dl=807, reserved=0, flags=24, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7924,12 +7888,6 @@ XXXXXXXXXX.XXXXXX mime_entity_data
 XXXXXXXXXX.XXXXXX mime_end_entity
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=[filename=<uninitialized>], fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = T
-
-XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_sniff
                   [0] f: fa_file         = [id=Fc5KpS3kUYqDLwWSMf, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=Fc5KpS3kUYqDLwWSMf, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
@@ -7938,15 +7896,6 @@ XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_state_remove
                   [0] f: fa_file         = [id=Fc5KpS3kUYqDLwWSMf, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SMTP::finalize_smtp\x0a\x09\x09{ \x0a\x09\x09if (SMTP::c?$smtp) \x0a\x09\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=Fc5KpS3kUYqDLwWSMf, uid=<uninitialized>, id=<uninitialized>, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
-XXXXXXXXXX.XXXXXX get_file_handle
-                  [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-XXXXXXXXXX.XXXXXX event_queue_flush_point
-XXXXXXXXXX.XXXXXX Files::log_files
-                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=Fc5KpS3kUYqDLwWSMf, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
-
 XXXXXXXXXX.XXXXXX mime_all_data
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] length: count      = 204
@@ -7963,6 +7912,9 @@ XXXXXXXXXX.XXXXXX get_file_handle
                   [2] is_orig: bool      = T
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
+XXXXXXXXXX.XXXXXX Files::log_files
+                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=Fc5KpS3kUYqDLwWSMf, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=T, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+
 XXXXXXXXXX.XXXXXX get_file_handle
                   [0] tag: Analyzer::Tag = Analyzer::ANALYZER_SMTP
                   [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=T, trans_rcpt_to_seen=T, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -7976,13 +7928,13 @@ XXXXXXXXXX.XXXXXX smtp_request
                   [3] arg: string        = .
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=873, cap_len=873, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=859, id=49517, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465503, ack=2131788409, hl=32, dl=807, reserved=0, flags=24, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=873, cap_len=873, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=859, id=49517, DF=T, MF=F, offset=0, ttl=64, p=6, sum=59923, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976465503, ack=2131788409, hl=32, dl=807, reserved=0, flags=24, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=57.0 msecs 218.074799 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=51491, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788409, ack=3976466310, hl=32, dl=8, reserved=0, flags=24, win=239], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=60, id=51491, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58748, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788409, ack=3976466310, hl=32, dl=8, reserved=0, flags=24, win=239], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=57.0 msecs 218.074799 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, process_smtp_headers=T, entity_count=1, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8029,7 +7981,7 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [5] cont_resp: bool    = F
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=51491, ttl=64, p=6, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788409, ack=3976466310, hl=32, dl=8, reserved=0, flags=24, win=239], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=74, cap_len=74, src=00:08:ca:cc:ad:4c, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=60, id=51491, DF=T, MF=F, offset=0, ttl=64, p=6, sum=58748, src=192.168.133.102, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=25/tcp, dport=49648/tcp, seq=2131788409, ack=3976466310, hl=32, dl=8, reserved=0, flags=24, win=239], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX SMTP::log_smtp
@@ -8038,7 +7990,7 @@ XXXXXXXXXX.XXXXXX SMTP::log_smtp
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=57.0 msecs 320.11795 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=44186, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976466310, ack=2131788417, hl=32, dl=0, reserved=0, flags=16, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=44186, DF=T, MF=F, offset=0, ttl=64, p=6, sum=526, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976466310, ack=2131788417, hl=32, dl=0, reserved=0, flags=16, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=57.0 msecs 320.11795 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, trans_mail_from_seen=F, trans_rcpt_to_seen=F, invalid_transactions=0, analyzer_id=21, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8073,7 +8025,7 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034665, echo_timestamp=84177, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=44186, ttl=64, p=6, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976466310, ack=2131788417, hl=32, dl=0, reserved=0, flags=16, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=00:08:ca:cc:ad:4c, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=44186, DF=T, MF=F, offset=0, ttl=64, p=6, sum=526, src=192.168.133.100, dst=192.168.133.102], ip6=<uninitialized>, tcp=[sport=49648/tcp, dport=25/tcp, seq=3976466310, ack=2131788417, hl=32, dl=0, reserved=0, flags=16, win=4112], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
@@ -8087,7 +8039,7 @@ XXXXXXXXXX.XXXXXX new_connection
 
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=^d, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=137, id=63879, ttl=48, p=6, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=137, id=63879, DF=F, MF=F, offset=0, ttl=48, p=6, sum=47264, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=^d, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8126,13 +8078,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=539416720, echo_timestamp=403018179, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=151, cap_len=151, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=137, id=63879, ttl=48, p=6, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=151, cap_len=151, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=137, id=63879, DF=F, MF=F, offset=0, ttl=48, p=6, sum=47264, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=1, num_bytes_ip=137, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=46.96846 usecs, service={\x0a\x0a}, history=^dt, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=137, id=63901, ttl=48, p=6, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=137, id=63901, DF=F, MF=F, offset=0, ttl=48, p=6, sum=47242, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=1, num_bytes_ip=137, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=46.96846 usecs, service={\x0a\x0a}, history=^dt, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8171,13 +8123,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=539417055, echo_timestamp=403018179, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=151, cap_len=151, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=137, id=63901, ttl=48, p=6, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=151, cap_len=151, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=137, id=63901, DF=F, MF=F, offset=0, ttl=48, p=6, sum=47242, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=2, num_bytes_ip=274, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=153.064728 usecs, service={\x0a\x0a}, history=^dt, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=137, id=64044, ttl=48, p=6, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=137, id=64044, DF=F, MF=F, offset=0, ttl=48, p=6, sum=47099, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=2, num_bytes_ip=274, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=153.064728 usecs, service={\x0a\x0a}, history=^dt, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8216,13 +8168,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=539417390, echo_timestamp=403018179, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=151, cap_len=151, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=137, id=64044, ttl=48, p=6, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=151, cap_len=151, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=137, id=64044, DF=F, MF=F, offset=0, ttl=48, p=6, sum=47099, src=74.125.71.189, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49336/tcp, seq=3980080258, ack=1584252430, hl=32, dl=85, reserved=0, flags=24, win=873], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=172.138214 usecs, service={\x0a\x0a}, history=^dtA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=63304, ttl=64, p=6, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=63304, DF=T, MF=F, offset=0, ttl=64, p=6, sum=27444, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX partial_connection
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=172.138214 usecs, service={\x0a\x0a}, history=^dtA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8260,13 +8212,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403045274, echo_timestamp=539416720, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=63304, ttl=64, p=6, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=63304, DF=T, MF=F, offset=0, ttl=64, p=6, sum=27444, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=220.060349 usecs, service={\x0a\x0a}, history=^dtA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=6886, ttl=64, p=6, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=6886, DF=T, MF=F, offset=0, ttl=64, p=6, sum=18327, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=220.060349 usecs, service={\x0a\x0a}, history=^dtA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8301,14 +8253,14 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403045274, echo_timestamp=539417055, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=6886, ttl=64, p=6, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=6886, DF=T, MF=F, offset=0, ttl=64, p=6, sum=18327, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=221.014023 usecs, service={\x0a\x0a}, history=^dtA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=3407, ttl=64, p=6, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=3407, DF=T, MF=F, offset=0, ttl=64, p=6, sum=21806, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=221.014023 usecs, service={\x0a\x0a}, history=^dtA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8343,7 +8295,7 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403045274, echo_timestamp=539417390, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=3407, ttl=64, p=6, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=3407, DF=T, MF=F, offset=0, ttl=64, p=6, sum=21806, src=192.168.133.100, dst=74.125.71.189], ip6=<uninitialized>, tcp=[sport=49336/tcp, dport=443/tcp, seq=1584252430, ack=3980080343, hl=32, dl=0, reserved=0, flags=16, win=4093], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX load_sample
@@ -8358,7 +8310,7 @@ XXXXXXXXXX.XXXXXX new_connection
 
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=766, id=17405, ttl=64, p=6, src=192.168.133.100, dst=17.172.238.21], ip6=<uninitialized>, tcp=[sport=49153/tcp, dport=5223/tcp, seq=1896121299, ack=4026911025, hl=32, dl=714, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=766, id=17405, DF=T, MF=F, offset=0, ttl=64, p=6, sum=44590, src=192.168.133.100, dst=17.172.238.21], ip6=<uninitialized>, tcp=[sport=49153/tcp, dport=5223/tcp, seq=1896121299, ack=4026911025, hl=32, dl=714, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8397,13 +8349,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403046002, echo_timestamp=4183838604, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=780, cap_len=780, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=766, id=17405, ttl=64, p=6, src=192.168.133.100, dst=17.172.238.21], ip6=<uninitialized>, tcp=[sport=49153/tcp, dport=5223/tcp, seq=1896121299, ack=4026911025, hl=32, dl=714, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=780, cap_len=780, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=766, id=17405, DF=T, MF=F, offset=0, ttl=64, p=6, sum=44590, src=192.168.133.100, dst=17.172.238.21], ip6=<uninitialized>, tcp=[sport=49153/tcp, dport=5223/tcp, seq=1896121299, ack=4026911025, hl=32, dl=714, reserved=0, flags=24, win=4096], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=147.0 msecs 503.137589 usecs, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=38117, ttl=52, p=6, src=17.172.238.21, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=5223/tcp, dport=49153/tcp, seq=4026911025, ack=1896122013, hl=32, dl=0, reserved=0, flags=16, win=375], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=38117, DF=T, MF=F, offset=0, ttl=52, p=6, sum=27664, src=17.172.238.21, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=5223/tcp, dport=49153/tcp, seq=4026911025, ack=1896122013, hl=32, dl=0, reserved=0, flags=16, win=375], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX partial_connection
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=147.0 msecs 503.137589 usecs, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8441,7 +8393,7 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=4183989261, echo_timestamp=403046002, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=38117, ttl=52, p=6, src=17.172.238.21, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=5223/tcp, dport=49153/tcp, seq=4026911025, ack=1896122013, hl=32, dl=0, reserved=0, flags=16, win=375], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=38117, DF=T, MF=F, offset=0, ttl=52, p=6, sum=27664, src=17.172.238.21, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=5223/tcp, dport=49153/tcp, seq=4026911025, ack=1896122013, hl=32, dl=0, reserved=0, flags=16, win=375], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
@@ -8453,7 +8405,7 @@ XXXXXXXXXX.XXXXXX new_connection
 
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=S, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=64, id=60923, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393379, ack=0, hl=44, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=64, id=60923, DF=T, MF=F, offset=0, ttl=64, p=6, sum=24255, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393379, ack=0, hl=44, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_SYN_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=S, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8522,14 +8474,14 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=2, length=4, data=<uninitialized>, mss=1460, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=3, length=3, data=<uninitialized>, mss=<uninitialized>, window_scale=5, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403046199, echo_timestamp=0, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=4, length=2, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=0, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=60923, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393379, ack=0, hl=44, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=60923, DF=T, MF=F, offset=0, ttl=64, p=6, sum=24255, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393379, ack=0, hl=44, dl=0, reserved=0, flags=2, win=65535], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=149.0 msecs 281.024933 usecs, service={\x0a\x0a}, history=Sh, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=50798, ttl=242, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319610143, ack=3289393380, hl=32, dl=0, reserved=0, flags=18, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=52, id=50798, DF=T, MF=F, offset=0, ttl=242, p=6, sum=54359, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319610143, ack=3289393380, hl=32, dl=0, reserved=0, flags=18, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_SYN_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=149.0 msecs 281.024933 usecs, service={\x0a\x0a}, history=Sh, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8589,13 +8541,13 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [2] options: TCP::OptionList = [[kind=2, length=4, data=<uninitialized>, mss=1440, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=3, length=3, data=<uninitialized>, mss=<uninitialized>, window_scale=4, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>], [kind=4, length=2, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>, rate=<uninitialized>, ttl_diff=<uninitialized>, qs_nonce=<uninitialized>]]
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=50798, ttl=242, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319610143, ack=3289393380, hl=32, dl=0, reserved=0, flags=18, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=50798, DF=T, MF=F, offset=0, ttl=242, p=6, sum=54359, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319610143, ack=3289393380, hl=32, dl=0, reserved=0, flags=18, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=149.0 msecs 415.016174 usecs, service={\x0a\x0a}, history=ShA, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=56718, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393380, ack=2319610144, hl=20, dl=0, reserved=0, flags=16, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=56718, DF=T, MF=F, offset=0, ttl=64, p=6, sum=28484, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393380, ack=2319610144, hl=20, dl=0, reserved=0, flags=16, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_first_ACK
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=149.0 msecs 415.016174 usecs, service={\x0a\x0a}, history=ShA, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8610,13 +8562,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=56718, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393380, ack=2319610144, hl=20, dl=0, reserved=0, flags=16, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=56718, DF=T, MF=F, offset=0, ttl=64, p=6, sum=28484, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393380, ack=2319610144, hl=20, dl=0, reserved=0, flags=16, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=241, id=39444, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393380, ack=2319610144, hl=20, dl=201, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=241, id=39444, DF=T, MF=F, offset=0, ttl=64, p=6, sum=45557, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393380, ack=2319610144, hl=20, dl=201, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -8637,61 +8589,61 @@ XXXXXXXXXX.XXXXXX ssl_extension_server_name
                   [2] names: string_vec  = [p31-keyvalueservice.icloud.com]
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] code: count        = 0
                   [3] val: string        = \x00!\x00\x00\x1ep31-keyvalueservice.icloud.com
 
 XXXXXXXXXX.XXXXXX ssl_extension_elliptic_curves
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] curves: index_vec  = [23, 24, 25]
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] code: count        = 10
                   [3] val: string        = \x00\x06\x00\x17\x00\x18\x00\x19
 
 XXXXXXXXXX.XXXXXX ssl_extension_ec_point_formats
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] point_formats: index_vec = [0]
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] code: count        = 11
                   [3] val: string        = \x01\x00
 
 XXXXXXXXXX.XXXXXX ssl_extension_signature_algorithm
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] signature_algorithms: signature_and_hashalgorithm_vec = [[HashAlgorithm=5, SignatureAlgorithm=1], [HashAlgorithm=4, SignatureAlgorithm=1], [HashAlgorithm=2, SignatureAlgorithm=1], [HashAlgorithm=4, SignatureAlgorithm=3], [HashAlgorithm=2, SignatureAlgorithm=3]]
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] code: count        = 13
                   [3] val: string        = \x00\x0a\x05\x01\x04\x01\x02\x01\x04\x03\x02\x03
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] code: count        = 13172
                   [3] val: string        = 
 
 XXXXXXXXXX.XXXXXX analyzer_confirmation_info
                   [0] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_SSL
-                  [1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], f=<uninitialized>, aid=35]
+                  [1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], f=<uninitialized>, aid=35]
 
 XXXXXXXXXX.XXXXXX analyzer_confirmation
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_SSL
                   [2] aid: count         = 35
 
 XXXXXXXXXX.XXXXXX ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 771
                   [2] record_version: count = 769
                   [3] possible_ts: time  = XXXXXXXXXX.XXXXXX
@@ -8701,33 +8653,33 @@ XXXXXXXXXX.XXXXXX ssl_client_hello
                   [7] comp_methods: index_vec = [0]
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] msg_type: count    = 1
                   [3] length: count      = 192
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] record_version: count = 769
                   [3] content_type: count = 22
                   [4] length: count      = 196
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=255, cap_len=255, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=241, id=39444, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393380, ack=2319610144, hl=20, dl=201, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=255, cap_len=255, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=241, id=39444, DF=T, MF=F, offset=0, ttl=64, p=6, sum=45557, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393380, ack=2319610144, hl=20, dl=201, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=3, num_bytes_ip=345, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=1440, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=301.0 msecs 527.97699 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1480, id=50800, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319610144, ack=3289393581, hl=20, dl=1440, reserved=0, flags=24, win=2565], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=3, num_bytes_ip=345, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=1440, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=301.0 msecs 527.97699 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1480, id=50800, DF=T, MF=F, offset=0, ttl=243, p=6, sum=52673, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319610144, ack=3289393581, hl=20, dl=1440, reserved=0, flags=24, win=2565], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=3, num_bytes_ip=345, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=1440, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=301.0 msecs 527.97699 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=3, num_bytes_ip=345, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=1440, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=301.0 msecs 527.97699 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x16\x03\x03\x0a$\x02\x00\x00M\x03\x03U\xb3\x92w\xe2RB\xdds\x11\xa9\xd4\x1d\xbc\x8e\xe2]\x09\xc5\xfc\xb1\xedl\xed\x17\xb2?a\xac\x81QM \x17x\xe5j\x19T\x12vWY\xcf\xf3\xeai\\xdf\x09[]\xb7\xdf.[\x0e\x04\xa8\x89bJ\x94\xa7\x0c\x00\x04\x00\x00\x05\xff\x01\x00\x01\x00\x0b\x00\x09\xcb\x00\x09\xc8\x00\x05~0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=3, num_bytes_ip=345, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=1440, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=301.0 msecs 527.97699 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=3, num_bytes_ip=345, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=1440, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=301.0 msecs 527.97699 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 1
@@ -8736,16 +8688,16 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x16\x03\x03\x0a$\x02\x00\x00M\x03\x03U\xb3\x92w\xe2RB\xdds\x11\xa9\xd4\x1d\xbc\x8e\xe2]\x09\xc5\xfc\xb1\xedl\xed\x17\xb2?a\xac\x81QM \x17x\xe5j\x19T\x12vWY\xcf\xf3\xeai\\xdf\x09[]\xb7\xdf.[\x0e\x04\xa8\x89bJ\x94\xa7\x0c\x00\x04\x00\x00\x05\xff\x01\x00\x01\x00\x0b\x00\x09\xcb\x00\x09\xc8\x00\x05~0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1494, cap_len=1494, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1480, id=50800, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319610144, ack=3289393581, hl=20, dl=1440, reserved=0, flags=24, win=2565], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1494, cap_len=1494, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1480, id=50800, DF=T, MF=F, offset=0, ttl=243, p=6, sum=52673, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319610144, ack=3289393581, hl=20, dl=1440, reserved=0, flags=24, win=2565], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=3, num_bytes_ip=345, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=1440, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=301.0 msecs 647.901535 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=30539, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319611584, hl=20, dl=0, reserved=0, flags=16, win=8147], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=3, num_bytes_ip=345, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=1440, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=301.0 msecs 647.901535 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=30539, DF=T, MF=F, offset=0, ttl=64, p=6, sum=54663, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319611584, hl=20, dl=0, reserved=0, flags=16, win=8147], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=3, num_bytes_ip=345, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=1440, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=301.0 msecs 647.901535 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=3, num_bytes_ip=345, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=1440, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=301.0 msecs 647.901535 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 202
@@ -8754,20 +8706,20 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=30539, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319611584, hl=20, dl=0, reserved=0, flags=16, win=8147], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=30539, DF=T, MF=F, offset=0, ttl=64, p=6, sum=54663, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319611584, hl=20, dl=0, reserved=0, flags=16, win=8147], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1201, id=50802, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319611584, ack=3289393581, hl=20, dl=1161, reserved=0, flags=24, win=2565], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1201, id=50802, DF=T, MF=F, offset=0, ttl=243, p=6, sum=52950, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319611584, ack=3289393581, hl=20, dl=1161, reserved=0, flags=24, win=2565], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3\x00\x04D0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6\x0e\x00\x00\x00
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 1441
@@ -8776,13 +8728,13 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3\x00\x04D0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6\x0e\x00\x00\x00
 
 XXXXXXXXXX.XXXXXX ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] code: count        = 65281
                   [3] val: string        = \x00
 
 XXXXXXXXXX.XXXXXX ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 771
                   [2] record_version: count = 771
                   [3] possible_ts: time  = XXXXXXXXXX.XXXXXX
@@ -8792,205 +8744,205 @@ XXXXXXXXXX.XXXXXX ssl_server_hello
                   [7] comp_method: count = 0
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=C, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] msg_type: count    = 2
                   [3] length: count      = 77
 
 XXXXXXXXXX.XXXXXX file_new
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_over_new_connection
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_sniff
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=application/x-x509-user-cert, mime_types=<uninitialized>, inferred=F]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = md5
                   [2] hash: string       = 1bf9696d9f337805383427e88781d001
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = sha256
                   [2] hash: string       = f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56
 
-XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
-
 XXXXXXXXXX.XXXXXX x509_certificate
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
 
 XXXXXXXXXX.XXXXXX x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]
 
 XXXXXXXXXX.XXXXXX x509_ext_subject_alternative_name
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]
 
+XXXXXXXXXX.XXXXXX file_hash
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
+
 XXXXXXXXXX.XXXXXX file_state_remove
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX file_new
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX X509::log_x509
                   [0] rec: X509::Info    = [ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]]
 
 XXXXXXXXXX.XXXXXX Files::log_files
-                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX file_over_new_connection
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_sniff
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=application/x-x509-ca-cert, mime_types=<uninitialized>, inferred=F]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = md5
                   [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = sha256
                   [2] hash: string       = ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b
 
-XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
-
 XXXXXXXXXX.XXXXXX x509_certificate
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
 
 XXXXXXXXXX.XXXXXX x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]
 
+XXXXXXXXXX.XXXXXX file_hash
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
+
 XXXXXXXXXX.XXXXXX file_state_remove
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a\x09}, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=<uninitialized>, id=<uninitialized>, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] msg_type: count    = 11
                   [3] length: count      = 2507
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csx, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csx, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] msg_type: count    = 14
                   [3] length: count      = 0
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] record_version: count = 771
                   [3] content_type: count = 22
                   [4] length: count      = 2596
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1215, cap_len=1215, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1201, id=50802, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319611584, ack=3289393581, hl=20, dl=1161, reserved=0, flags=24, win=2565], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1215, cap_len=1215, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1201, id=50802, DF=T, MF=F, offset=0, ttl=243, p=6, sum=52950, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319611584, ack=3289393581, hl=20, dl=1161, reserved=0, flags=24, win=2565], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX X509::log_x509
                   [0] rec: X509::Info    = [ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]]
 
 XXXXXXXXXX.XXXXXX Files::log_files
-                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 494.930267 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=10474, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319612745, hl=20, dl=0, reserved=0, flags=16, win=8155], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 494.930267 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=10474, DF=T, MF=F, offset=0, ttl=64, p=6, sum=9193, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319612745, hl=20, dl=0, reserved=0, flags=16, win=8155], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 494.930267 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 494.930267 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 202
@@ -8999,20 +8951,20 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=10474, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319612745, hl=20, dl=0, reserved=0, flags=16, win=8155], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=10474, DF=T, MF=F, offset=0, ttl=64, p=6, sum=9193, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319612745, hl=20, dl=0, reserved=0, flags=16, win=8155], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=307, id=4791, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319612745, hl=20, dl=267, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=307, id=4791, DF=T, MF=F, offset=0, ttl=64, p=6, sum=14609, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319612745, hl=20, dl=267, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x16\x03\x03\x01\x06\x10\x00\x01\x02\x01\x00A\x8e)<\xc0\xaa\xe4\x99\xac\xddGv\x1as~,u\x9c<\x0b\xb31\\x96\xff\x8b\x1f\xc1D+mnJ:\xa0s\x99\x10\xe0\xaf_d\xdfs\xa5\x1eQ\x7f\xd7\xd0\x04t7\x8e\x91\\x10\xb7\x07\x7f\xf7tz\xc0\xff:\xb3\xa1\xd1\xcb\x843\xa6w \xef\xf6\x959D\x04\xf1\x1f\x9d+ClXJ[\xda\x01\x9d\xc5\xac\xee\x81\x10\xad3\xd5\x8b.\xa5\xf2\x03\xacP\xdf\xc1\xcfB\xc6d\xe8\xe4O\xd0\x08\x88\x17#\x1c\xe2\xe4K\x94f\xfd\xca\x1a\x1c-H:RSU\xe5\x83\xd0&C\xfb\x10c\x19\xa0\xae\xf3Vi\xe7\x8a\xad\xa9j6]\xc7\xa5\xac\xea\x11|\xec\x0a\x8d\xb6\xadlF\xeeI\xa8\x12d.\xf8\xa6~\x1a5\xc5ba\x90\x11\x15"\xf4\x99\xf6t\xc0\x07\x06\xd5l\x91.\x11\x0b\xd7>\xf6\x97\x9cI\xc4\xf3\x1a\xf8\xc6\xe3\x18L#d\xea\x0c\x02\xa8\xe0-\xdaU\x04\x09\x9eh\xe1$\x10g\x09\x85\xc5w-\xabJ\xb1\xce\x84\xa4\xaf&\xa0\xbc\x94\xd9\xefg~\xa5
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = AP
                   [3] seq: count         = 202
@@ -9021,37 +8973,37 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x16\x03\x03\x01\x06\x10\x00\x01\x02\x01\x00A\x8e)<\xc0\xaa\xe4\x99\xac\xddGv\x1as~,u\x9c<\x0b\xb31\\x96\xff\x8b\x1f\xc1D+mnJ:\xa0s\x99\x10\xe0\xaf_d\xdfs\xa5\x1eQ\x7f\xd7\xd0\x04t7\x8e\x91\\x10\xb7\x07\x7f\xf7tz\xc0\xff:\xb3\xa1\xd1\xcb\x843\xa6w \xef\xf6\x959D\x04\xf1\x1f\x9d+ClXJ[\xda\x01\x9d\xc5\xac\xee\x81\x10\xad3\xd5\x8b.\xa5\xf2\x03\xacP\xdf\xc1\xcfB\xc6d\xe8\xe4O\xd0\x08\x88\x17#\x1c\xe2\xe4K\x94f\xfd\xca\x1a\x1c-H:RSU\xe5\x83\xd0&C\xfb\x10c\x19\xa0\xae\xf3Vi\xe7\x8a\xad\xa9j6]\xc7\xa5\xac\xea\x11|\xec\x0a\x8d\xb6\xadlF\xeeI\xa8\x12d.\xf8\xa6~\x1a5\xc5ba\x90\x11\x15"\xf4\x99\xf6t\xc0\x07\x06\xd5l\x91.\x11\x0b\xd7>\xf6\x97\x9cI\xc4\xf3\x1a\xf8\xc6\xe3\x18L#d\xea\x0c\x02\xa8\xe0-\xdaU\x04\x09\x9eh\xe1$\x10g\x09\x85\xc5w-\xabJ\xb1\xce\x84\xa4\xaf&\xa0\xbc\x94\xd9\xefg~\xa5
 
 XXXXXXXXXX.XXXXXX ssl_rsa_client_pms
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] pms: string        = \x01\x00A\x8e)<\xc0\xaa\xe4\x99\xac\xddGv\x1as~,u\x9c<\x0b\xb31\\x96\xff\x8b\x1f\xc1D+mnJ:\xa0s\x99\x10\xe0\xaf_d\xdfs\xa5\x1eQ\x7f\xd7\xd0\x04t7\x8e\x91\\x10\xb7\x07\x7f\xf7tz\xc0\xff:\xb3\xa1\xd1\xcb\x843\xa6w \xef\xf6\x959D\x04\xf1\x1f\x9d+ClXJ[\xda\x01\x9d\xc5\xac\xee\x81\x10\xad3\xd5\x8b.\xa5\xf2\x03\xacP\xdf\xc1\xcfB\xc6d\xe8\xe4O\xd0\x08\x88\x17#\x1c\xe2\xe4K\x94f\xfd\xca\x1a\x1c-H:RSU\xe5\x83\xd0&C\xfb\x10c\x19\xa0\xae\xf3Vi\xe7\x8a\xad\xa9j6]\xc7\xa5\xac\xea\x11|\xec\x0a\x8d\xb6\xadlF\xeeI\xa8\x12d.\xf8\xa6~\x1a5\xc5ba\x90\x11\x15"\xf4\x99\xf6t\xc0\x07\x06\xd5l\x91.\x11\x0b\xd7>\xf6\x97\x9cI\xc4\xf3\x1a\xf8\xc6\xe3\x18L#d\xea\x0c\x02\xa8\xe0-\xdaU\x04\x09\x9eh\xe1$\x10g\x09\x85\xc5w-\xabJ\xb1\xce\x84\xa4\xaf&\xa0\xbc\x94\xd9\xefg~\xa5
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] msg_type: count    = 16
                   [3] length: count      = 258
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] record_version: count = 771
                   [3] content_type: count = 22
                   [4] length: count      = 262
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=321, cap_len=321, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=307, id=4791, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319612745, hl=20, dl=267, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=321, cap_len=321, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=307, id=4791, DF=T, MF=F, offset=0, ttl=64, p=6, sum=14609, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319612745, hl=20, dl=267, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=46, id=53789, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393848, ack=2319612745, hl=20, dl=6, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=46, id=53789, DF=T, MF=F, offset=0, ttl=64, p=6, sum=31407, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393848, ack=2319612745, hl=20, dl=6, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x14\x03\x03\x00\x01\x01
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = AP
                   [3] seq: count         = 469
@@ -9060,31 +9012,31 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x14\x03\x03\x00\x01\x01
 
 XXXXXXXXXX.XXXXXX ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] record_version: count = 771
                   [3] content_type: count = 20
                   [4] length: count      = 1
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=46, id=53789, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393848, ack=2319612745, hl=20, dl=6, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=46, id=53789, DF=T, MF=F, offset=0, ttl=64, p=6, sum=31407, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393848, ack=2319612745, hl=20, dl=6, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=77, id=51331, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393854, ack=2319612745, hl=20, dl=37, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=77, id=51331, DF=T, MF=F, offset=0, ttl=64, p=6, sum=33834, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393854, ack=2319612745, hl=20, dl=37, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x16\x03\x03\x00 \x1c\x1c\x84S/9\x14e\xb6'\xe5,\x03\x0fY\xdf\x1b\xcfu\xc84\xae\x1a"\xea]9j'\xbeZ\xa7
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = AP
                   [3] seq: count         = 475
@@ -9093,23 +9045,23 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x16\x03\x03\x00 \x1c\x1c\x84S/9\x14e\xb6'\xe5,\x03\x0fY\xdf\x1b\xcfu\xc84\xae\x1a"\xea]9j'\xbeZ\xa7
 
 XXXXXXXXXX.XXXXXX ssl_encrypted_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = T
                   [2] record_version: count = 771
                   [3] content_type: count = 22
                   [4] length: count      = 32
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=91, cap_len=91, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=77, id=51331, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393854, ack=2319612745, hl=20, dl=37, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=91, cap_len=91, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=77, id=51331, DF=T, MF=F, offset=0, ttl=64, p=6, sum=33834, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393854, ack=2319612745, hl=20, dl=37, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 362.983704 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50803, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393848, hl=20, dl=0, reserved=0, flags=16, win=2908], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 362.983704 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50803, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54110, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393848, hl=20, dl=0, reserved=0, flags=16, win=2908], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 362.983704 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 362.983704 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = A
                   [3] seq: count         = 2602
@@ -9118,16 +9070,16 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=50803, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393848, hl=20, dl=0, reserved=0, flags=16, win=2908], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=50803, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54110, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393848, hl=20, dl=0, reserved=0, flags=16, win=2908], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=4, num_bytes_ip=2773, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 400.892258 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50804, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393854, hl=20, dl=0, reserved=0, flags=16, win=3268], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=4, num_bytes_ip=2773, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 400.892258 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50804, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54109, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393854, hl=20, dl=0, reserved=0, flags=16, win=3268], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=4, num_bytes_ip=2773, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 400.892258 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=4, num_bytes_ip=2773, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 400.892258 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = A
                   [3] seq: count         = 2602
@@ -9136,16 +9088,16 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=50804, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393854, hl=20, dl=0, reserved=0, flags=16, win=3268], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=50804, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54109, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393854, hl=20, dl=0, reserved=0, flags=16, win=3268], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=5, num_bytes_ip=2813, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 489.822388 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50805, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=0, reserved=0, flags=16, win=3626], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=5, num_bytes_ip=2813, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 489.822388 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50805, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54108, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=0, reserved=0, flags=16, win=3626], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=5, num_bytes_ip=2813, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 489.822388 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=5, num_bytes_ip=2813, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 489.822388 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = A
                   [3] seq: count         = 2602
@@ -9154,20 +9106,20 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=50805, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=0, reserved=0, flags=16, win=3626], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=50805, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54108, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=0, reserved=0, flags=16, win=3626], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=83, id=50807, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=43, reserved=0, flags=24, win=3626], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=83, id=50807, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54063, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=43, reserved=0, flags=24, win=3626], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x14\x03\x03\x00\x01\x01\x16\x03\x03\x00 Z\x99\x17~d\x06\xbd;\xb4\xdf\xe2\xb3~9,|\xac\xdb\xb4\xeb\xcc\x95.\x17\xd2Q\x8a\x96\xdb\x13\x09!
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 2602
@@ -9176,40 +9128,40 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x14\x03\x03\x00\x01\x01\x16\x03\x03\x00 Z\x99\x17~d\x06\xbd;\xb4\xdf\xe2\xb3~9,|\xac\xdb\xb4\xeb\xcc\x95.\x17\xd2Q\x8a\x96\xdb\x13\x09!
 
 XXXXXXXXXX.XXXXXX ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] record_version: count = 771
                   [3] content_type: count = 20
                   [4] length: count      = 1
 
 XXXXXXXXXX.XXXXXX ssl_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX ssl_encrypted_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_client: bool    = F
                   [2] record_version: count = 771
                   [3] content_type: count = 22
                   [4] length: count      = 32
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=97, cap_len=97, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=83, id=50807, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=43, reserved=0, flags=24, win=3626], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=97, cap_len=97, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=83, id=50807, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54063, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=43, reserved=0, flags=24, win=3626], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX SSL::log_ssl
-                  [0] rec: SSL::Info     = [ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0]
+                  [0] rec: SSL::Info     = [ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 623.813629 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=18678, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393891, ack=2319612788, hl=20, dl=0, reserved=0, flags=16, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 623.813629 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=18678, DF=T, MF=F, offset=0, ttl=64, p=6, sum=989, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393891, ack=2319612788, hl=20, dl=0, reserved=0, flags=16, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 623.813629 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 623.813629 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 512
@@ -9218,20 +9170,20 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=18678, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393891, ack=2319612788, hl=20, dl=0, reserved=0, flags=16, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=18678, DF=T, MF=F, offset=0, ttl=64, p=6, sum=989, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393891, ack=2319612788, hl=20, dl=0, reserved=0, flags=16, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=661, id=10957, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393891, ack=2319612788, hl=20, dl=621, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=661, id=10957, DF=T, MF=F, offset=0, ttl=64, p=6, sum=8089, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393891, ack=2319612788, hl=20, dl=621, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x02h\xb3\xc7\xe1\xb6|\xfeW\xee]\xac/\xba\x97\x8ai\xcaK4\xaf\xb9V\xe4\xa0G\x95\xa7\x93\xc8K\x8d\x88\x82p\xbdA\x93U;B\xcf\x0c\x87\xc2\x90\x8a\x80?'\x18\xcc\xcb+\xd7\xec\x95\xcaWA?\xb8t\xe0\xe7?\xdbJ.E\xb1\xea\xa7\xcd\x9a\x1e{\xaf\xca(\x03\xb9j\xc8;5\xe4\xca\x1for\xe5\x13F\xff; \xac\xe9\x97E\xb5\xb9\xc3\x0a\x97\xd1"\xf4\x15\x96{q\xb4\x11\xf2\xe1<\x91\x1f\xc6'l\xbf\xb6\x17\xae\x17!F\xbc\xb2\xecD\xb8\xeeS\x13a\x97\xd7b\x9a?\xb0e\x1d\x8c\xd3x\xa6.\xe9\x9c)\xd0\xe7>\xf8\x96\xa5%\x1b\xe4YQ|\x93\xc1\xf9F\x8c\x07U\xe6/zL\xae\xc1@\x83[\x89k\xfbE\xcc?\xa47;\x0d\xa6Y\x98\x08\xa9\xe025e}_\xdbK\xdeZ\x1cE\xb7\xd9 'OD.w\xf2Ho\x96\x94\xd4M\x9d\x1b'\x05\x14\xd8\x0c2\xd6\xf3\x15\xf3'[\x9a\x94\xc9\x96\x99A\x1a]\x9b+\x17\x03k\x92\x9c\x8f\x99\xc5\xfbz\xaa\xc3\x88\xf8H\xcbV\xd054\xef\xdbH\xc2\x88\x11\xf3\xf8l\x0c6\x1e9\xa8;\xf9:\x0d\xd2qMN\xbb9+\xabL\x94}\xff\xbe\xe6\xef\xe7\xa6\x1b\xa2\xcd\xba\xee\x84\x87e\xf4&\xc3g\xb1?N$\xe1\xa4"\x09S8\xff\xa8\xbf\xba9\xf48\x1b\x7f[\xf2\xb2\xba\xbb<\x83\xb0\xc5\xefk\xb6k?\xbe\xfc,T\x1b\x9dX\xff\xe1\x91\x18\xd9U\x13W\x09\xa6\xd6\x8aNV+x\xc6\xa3g\x85\xe6\xd7>\xf6\x9a`$\xa5\xeaA\x16\x0a\xc7u\xe4\x00\xdb\x987.2\x8a\xef\x8a\x86{\x17\x06E\x88\x12\xc8B\x04\x97\xe0\xec\xe3vBQ\x15\x81O.\xbc\xc6D\xfa2\xa6v\x1b\x0dle\xfc\xef(]\x9dI\x18"\xd4\xd1\x8e\xbaR\xa6\x17\xb7THv}\xb4]\xae&\x0f{\xd6C\x8b\x92d\xee\xd9\xb68.]\x08uP\xb6^AZ\x0e-E.\xb9\xadn\x05\x7f\xd5\x14\xa8%F)\x84\xa1v\xda\xa0/C\xc8\xf9\x1fAo;\xb1\xffd\xb0\xdfG\xeaT\x940\xdb#\xe2\xdbp\x86s&RJt\xc6\xb1iB\xe8F5\xe2\x83.I\x03\x1dV\x1cs\xcf\xb5\x88\xcf\x13h%\x8a\xbe\xdc\xaa\xc4r3\xc3\x06tj\xf6\x96R\x8a\xf3\x90\xa63\x9c[J\xff\x1c]1\x974d\x0b#O\xc72\x00\x92b"\x1f\x14y\x05A\x85k\x16\x03\x8cB\xf3\xfb\xc4\xf9\xd4\x1f3>\xa2\x9c\xba\x08e\xd67\x00sL\x99\x9fW
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = AP
                   [3] seq: count         = 512
@@ -9240,20 +9192,20 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x17\x03\x03\x02h\xb3\xc7\xe1\xb6|\xfeW\xee]\xac/\xba\x97\x8ai\xcaK4\xaf\xb9V\xe4\xa0G\x95\xa7\x93\xc8K\x8d\x88\x82p\xbdA\x93U;B\xcf\x0c\x87\xc2\x90\x8a\x80?'\x18\xcc\xcb+\xd7\xec\x95\xcaWA?\xb8t\xe0\xe7?\xdbJ.E\xb1\xea\xa7\xcd\x9a\x1e{\xaf\xca(\x03\xb9j\xc8;5\xe4\xca\x1for\xe5\x13F\xff; \xac\xe9\x97E\xb5\xb9\xc3\x0a\x97\xd1"\xf4\x15\x96{q\xb4\x11\xf2\xe1<\x91\x1f\xc6'l\xbf\xb6\x17\xae\x17!F\xbc\xb2\xecD\xb8\xeeS\x13a\x97\xd7b\x9a?\xb0e\x1d\x8c\xd3x\xa6.\xe9\x9c)\xd0\xe7>\xf8\x96\xa5%\x1b\xe4YQ|\x93\xc1\xf9F\x8c\x07U\xe6/zL\xae\xc1@\x83[\x89k\xfbE\xcc?\xa47;\x0d\xa6Y\x98\x08\xa9\xe025e}_\xdbK\xdeZ\x1cE\xb7\xd9 'OD.w\xf2Ho\x96\x94\xd4M\x9d\x1b'\x05\x14\xd8\x0c2\xd6\xf3\x15\xf3'[\x9a\x94\xc9\x96\x99A\x1a]\x9b+\x17\x03k\x92\x9c\x8f\x99\xc5\xfbz\xaa\xc3\x88\xf8H\xcbV\xd054\xef\xdbH\xc2\x88\x11\xf3\xf8l\x0c6\x1e9\xa8;\xf9:\x0d\xd2qMN\xbb9+\xabL\x94}\xff\xbe\xe6\xef\xe7\xa6\x1b\xa2\xcd\xba\xee\x84\x87e\xf4&\xc3g\xb1?N$\xe1\xa4"\x09S8\xff\xa8\xbf\xba9\xf48\x1b\x7f[\xf2\xb2\xba\xbb<\x83\xb0\xc5\xefk\xb6k?\xbe\xfc,T\x1b\x9dX\xff\xe1\x91\x18\xd9U\x13W\x09\xa6\xd6\x8aNV+x\xc6\xa3g\x85\xe6\xd7>\xf6\x9a`$\xa5\xeaA\x16\x0a\xc7u\xe4\x00\xdb\x987.2\x8a\xef\x8a\x86{\x17\x06E\x88\x12\xc8B\x04\x97\xe0\xec\xe3vBQ\x15\x81O.\xbc\xc6D\xfa2\xa6v\x1b\x0dle\xfc\xef(]\x9dI\x18"\xd4\xd1\x8e\xbaR\xa6\x17\xb7THv}\xb4]\xae&\x0f{\xd6C\x8b\x92d\xee\xd9\xb68.]\x08uP\xb6^AZ\x0e-E.\xb9\xadn\x05\x7f\xd5\x14\xa8%F)\x84\xa1v\xda\xa0/C\xc8\xf9\x1fAo;\xb1\xffd\xb0\xdfG\xeaT\x940\xdb#\xe2\xdbp\x86s&RJt\xc6\xb1iB\xe8F5\xe2\x83.I\x03\x1dV\x1cs\xcf\xb5\x88\xcf\x13h%\x8a\xbe\xdc\xaa\xc4r3\xc3\x06tj\xf6\x96R\x8a\xf3\x90\xa63\x9c[J\xff\x1c]1\x974d\x0b#O\xc72\x00\x92b"\x1f\x14y\x05A\x85k\x16\x03\x8cB\xf3\xfb\xc4\xf9\xd4\x1f3>\xa2\x9c\xba\x08e\xd67\x00sL\x99\x9fW
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=675, cap_len=675, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=661, id=10957, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393891, ack=2319612788, hl=20, dl=621, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=675, cap_len=675, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=661, id=10957, DF=T, MF=F, offset=0, ttl=64, p=6, sum=8089, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393891, ack=2319612788, hl=20, dl=621, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1157, id=57830, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289394512, ack=2319612788, hl=20, dl=1117, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1157, id=57830, DF=T, MF=F, offset=0, ttl=64, p=6, sum=26255, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289394512, ack=2319612788, hl=20, dl=1117, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x04X<,@\xce{\xe2\xed\x1d\xe7\xec\\\x96RT\x94y\xa4\xa8%,\xb5X\xe2X\xc0$\x0e\xf1\xde\x0d\xd0C\xc3_\xa84H?\x93\x13\xeb\x89\x12\x98\xa0\xd0\xf6\xbayU\xfd\xf4T\xf6Qb\xa1\xc5j\xe8\xcc9\xb5\xfd\xbds\xf7CT\xbe\xaa\xaa\x14V\x8c\x0aC9&&\x05\xe6\xd8\x8c\xacVbCF\x0f\xc7A\x01^\xd2\x15\x18\xaa\xf8\xdfI\xf8.v\x08Q\xb3K\xfe\xa0\x84\xe5\x93Y\xd9T:\x8c^\xe1\xe5\xf6BY}A=\xee\x970n\xddE;m\x01\xdb,t\x14\xed/\x9a\xdeU\xe7\x92_\xa3\x88\xc8`\xf6n\x0e-\xd5\xd82\xb3\xd8[\xf1\xf5fey\xdb\xab\xfeN\xe9\x94\xf6#\xac\xbd\x9b\xf7\xde\xfb\x17\xf9\x8c\x97\x8f:\xdf\x87KQpK\x93\xb4\xb2r0\xe39\xc2\x85\x8d\x95)\x19le\xdb\xd4S\xb3\x85\xcb\xa7\x96\x1e\x00\xba\xee\x0f\x01\xb6mNf\x82uAH\xba\xa6\xef\xdch\x1c*\x97C\xe5\xc3>\x91^\xc8\xe0S\x07\x96\x02\x94z{\x87\x0f\x9c\xc5\xcd\x009\x09K<\xe7 T\x8d\xda\xce\xca\x00ea*v2\x83\xfd\xef\x8d2\xcd0J\xff\x0ad\xcd\x8a\x9el\x90\x02\xfe\xc8\x9c%<\xa4\xed\x1c\xac \x8c\xf4\xe5\x9c\x9c^\x0cJ\xb4\x06\xff\xc6#\x07=\xe299!Q\x13\xf1\xdb\xc1\xfe\xa6&\xd7D};Y\xechBD(\x81\x9c\x8c\xd6\x80\xaa{uA\xfcj\xa3\xd0Vq\xb4Z\x01\xb3\xc4\x9f\x9d\xb9\xc0\xe4`}\xb2\x01o\xf9\xe4\x87\xbe\xd0\x94_\xba0\xffN\x82E\x1c\xc9\xc9\x8d\xae\xd5{\x9fIkV\x98\x81\xed\x00\xbeo\xe9\x97\xc7\x07B\xb4\\xcd\xfb\x94h\xde\x0d\xe6M\x8eb\x94\xa1\x04V\x89\xc5\x0e\xd8\xc7}\xc2\x0f8\xaf\xd0a\xef\xdf\xac\x9c1~\x04\x109\x0ef\xa7_\xe0\xa1RF<\x94\xc2O\xebT,\xde7\xf7\x19\xb1\xf3\x91\xba#\xf4\x98Y\x9d"l\xa6\xf8\xb3\xfd\xc6\xcb\xf6+t\x00\xd7\xb9\xe8S\xb5a\xc5K\xd6c\xe9\xe7\xcd2\xe1b\x8f\xfbe\xf1u\xb2Wa\x0eE\xe0\x85\xe8h\x8e8\x90\xd3\x83i\xbf\x8dOK5\xc6\xba\x1a;\x1bt\xbb\x85\x90\x1b\xcf\x10g\x9f\x81\x96N\xca\x81\xb5{C\xf2G\xd4]\xf3\xc9Q\x85M\x1e/5{N!\x18\xd6%\xbby\x03\xb1mc\xd4\x92\x15\x8f\x09\xc3\xf6Z\xaa,\xa3z\xd3\x97D\xf8\xf0\x82\x14\xad\xa7\x0aFs\xa0\xfbU\x84\xea\x14^\x1f{\x0a\x91[\xcc\x97\x87\x9a\x82p\xffu,\xcd\xa1\xd5\x1a\xa4_:\xfd_\xcd\xe5i\xcc\x0c=\x93"e\x19\xab\x83\xbbr\xa9\x1e\x92\xc2Bg\xd0\x8f\xef\x85\xd0\x9b\xdc\x09B\xd2C\x09\x8c\xb8\xf3\xc9\xf7F\xd0\x8c\xf5sb\xc5\x070~\xe0\xb0\xe7y\x1d\xe6\xdf\xb1G\xa3Vi\x91\x0fg\xce\xd1\x86\xb7\x99\x90rT\xa0(\xcf\x9eT\x18\xa4\xb4=\x16\x1e-j\x19}\x9bS\xd1\x10e9\xcc\xbe1O\xcb\xb1\xa6\xc5WT\xb8A\xc3\x13\xf3\x13ra\xf3O\xea\xe9\xa1\xea\xb1\x0f\xa3\xce^\xbd\xe9\x93,\x8ao\xf3y\xd2\xf7\xba$\x92oX\xb2(\xea\x94\xbd\xeb}\x08 \x85\xe4$1tK\xda(\xfa\xdd\xcdX9\xa4L\xdb\x19k\x12T\xa8\xe6@\xf55\xa0\x85@\xec\x9dD\xe6SK\xbc@\x05\x93*-z\x17]\xe6\x13l`\x13f\x0a\xf18\xdbvkU\x90\xe6\x88S\x9b\x85)\x9fa`\x08\xea\xe5Q\x96\x04\xf1fe\xdei\xbd\xc9\xb3x\xff7\xd2\x0f6\x82YA\xf1_\x04x\x81QMf\xe6uD%\x95\x7f\xf6ph\xbf\x7f\xa6\xea\x98\x8f\x1f<G\xe5U\xc5I\xf3\xd1?\x83\xc6\xb2\xbd\xa2I*\xeceN\x91b\xd9\xc2\xa3\xc2\xf3\xc2\x17\x0ch\xeeH\x15\xf4\xc1x\xc7"\xacj\x8a@\x07\xa4+\xa0\xab\xf7\xc2\xb8\xd1\xc8\xd8\xfc\x07\x1b\x12'I!\x90\xb7\x88\xd8\x1a\xbf\xdeq\x98\xe9\xf6=\xedHmH\x84)\x09p\xbb!\x95\xc1qP\x13\xba\x1f\xdd\xf7\\x831\xb2\xd8\x82N\xdfM\x81K\xf5\x95+\xdd\xc2\xcd\xc5"\xc8\x14\x81>\xa6\x18.\xdeh\xd1\x94\xa9k\x13\x0a\x12\xaf\x9c\xe2\xd6\x96\x05\x9e\xb1\xc3\xcaEx\xb8c\xbf\xa1\xaa38g\xa7\x0d\xc0\x99\x83\xbc1<\x0c}\xb9#\x0c\x1a\xb3\x0e\xc4X?`\x15\x8e\xcc\xb9\xa1F#\xb5\x84N3\xc9\xcd\xb4\xf3\x0a{5\xcd\x1a\xd5f\xf8*\xef\x1e\x16\xc1\xef\xea|!\xe9\xaapy&~qx\xaa\xbeY\xa0X\x92'\x83\x89\xf5s\xa5\xeb\x8f&At\x93j\xcc\xe7\xb8(C\x9d
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = AP
                   [3] seq: count         = 1133
@@ -9262,16 +9214,16 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x17\x03\x03\x04X<,@\xce{\xe2\xed\x1d\xe7\xec\\\x96RT\x94y\xa4\xa8%,\xb5X\xe2X\xc0$\x0e\xf1\xde\x0d\xd0C\xc3_\xa84H?\x93\x13\xeb\x89\x12\x98\xa0\xd0\xf6\xbayU\xfd\xf4T\xf6Qb\xa1\xc5j\xe8\xcc9\xb5\xfd\xbds\xf7CT\xbe\xaa\xaa\x14V\x8c\x0aC9&&\x05\xe6\xd8\x8c\xacVbCF\x0f\xc7A\x01^\xd2\x15\x18\xaa\xf8\xdfI\xf8.v\x08Q\xb3K\xfe\xa0\x84\xe5\x93Y\xd9T:\x8c^\xe1\xe5\xf6BY}A=\xee\x970n\xddE;m\x01\xdb,t\x14\xed/\x9a\xdeU\xe7\x92_\xa3\x88\xc8`\xf6n\x0e-\xd5\xd82\xb3\xd8[\xf1\xf5fey\xdb\xab\xfeN\xe9\x94\xf6#\xac\xbd\x9b\xf7\xde\xfb\x17\xf9\x8c\x97\x8f:\xdf\x87KQpK\x93\xb4\xb2r0\xe39\xc2\x85\x8d\x95)\x19le\xdb\xd4S\xb3\x85\xcb\xa7\x96\x1e\x00\xba\xee\x0f\x01\xb6mNf\x82uAH\xba\xa6\xef\xdch\x1c*\x97C\xe5\xc3>\x91^\xc8\xe0S\x07\x96\x02\x94z{\x87\x0f\x9c\xc5\xcd\x009\x09K<\xe7 T\x8d\xda\xce\xca\x00ea*v2\x83\xfd\xef\x8d2\xcd0J\xff\x0ad\xcd\x8a\x9el\x90\x02\xfe\xc8\x9c%<\xa4\xed\x1c\xac \x8c\xf4\xe5\x9c\x9c^\x0cJ\xb4\x06\xff\xc6#\x07=\xe299!Q\x13\xf1\xdb\xc1\xfe\xa6&\xd7D};Y\xechBD(\x81\x9c\x8c\xd6\x80\xaa{uA\xfcj\xa3\xd0Vq\xb4Z\x01\xb3\xc4\x9f\x9d\xb9\xc0\xe4`}\xb2\x01o\xf9\xe4\x87\xbe\xd0\x94_\xba0\xffN\x82E\x1c\xc9\xc9\x8d\xae\xd5{\x9fIkV\x98\x81\xed\x00\xbeo\xe9\x97\xc7\x07B\xb4\\xcd\xfb\x94h\xde\x0d\xe6M\x8eb\x94\xa1\x04V\x89\xc5\x0e\xd8\xc7}\xc2\x0f8\xaf\xd0a\xef\xdf\xac\x9c1~\x04\x109\x0ef\xa7_\xe0\xa1RF<\x94\xc2O\xebT,\xde7\xf7\x19\xb1\xf3\x91\xba#\xf4\x98Y\x9d"l\xa6\xf8\xb3\xfd\xc6\xcb\xf6+t\x00\xd7\xb9\xe8S\xb5a\xc5K\xd6c\xe9\xe7\xcd2\xe1b\x8f\xfbe\xf1u\xb2Wa\x0eE\xe0\x85\xe8h\x8e8\x90\xd3\x83i\xbf\x8dOK5\xc6\xba\x1a;\x1bt\xbb\x85\x90\x1b\xcf\x10g\x9f\x81\x96N\xca\x81\xb5{C\xf2G\xd4]\xf3\xc9Q\x85M\x1e/5{N!\x18\xd6%\xbby\x03\xb1mc\xd4\x92\x15\x8f\x09\xc3\xf6Z\xaa,\xa3z\xd3\x97D\xf8\xf0\x82\x14\xad\xa7\x0aFs\xa0\xfbU\x84\xea\x14^\x1f{\x0a\x91[\xcc\x97\x87\x9a\x82p\xffu,\xcd\xa1\xd5\x1a\xa4_:\xfd_\xcd\xe5i\xcc\x0c=\x93"e\x19\xab\x83\xbbr\xa9\x1e\x92\xc2Bg\xd0\x8f\xef\x85\xd0\x9b\xdc\x09B\xd2C\x09\x8c\xb8\xf3\xc9\xf7F\xd0\x8c\xf5sb\xc5\x070~\xe0\xb0\xe7y\x1d\xe6\xdf\xb1G\xa3Vi\x91\x0fg\xce\xd1\x86\xb7\x99\x90rT\xa0(\xcf\x9eT\x18\xa4\xb4=\x16\x1e-j\x19}\x9bS\xd1\x10e9\xcc\xbe1O\xcb\xb1\xa6\xc5WT\xb8A\xc3\x13\xf3\x13ra\xf3O\xea\xe9\xa1\xea\xb1\x0f\xa3\xce^\xbd\xe9\x93,\x8ao\xf3y\xd2\xf7\xba$\x92oX\xb2(\xea\x94\xbd\xeb}\x08 \x85\xe4$1tK\xda(\xfa\xdd\xcdX9\xa4L\xdb\x19k\x12T\xa8\xe6@\xf55\xa0\x85@\xec\x9dD\xe6SK\xbc@\x05\x93*-z\x17]\xe6\x13l`\x13f\x0a\xf18\xdbvkU\x90\xe6\x88S\x9b\x85)\x9fa`\x08\xea\xe5Q\x96\x04\xf1fe\xdei\xbd\xc9\xb3x\xff7\xd2\x0f6\x82YA\xf1_\x04x\x81QMf\xe6uD%\x95\x7f\xf6ph\xbf\x7f\xa6\xea\x98\x8f\x1f<G\xe5U\xc5I\xf3\xd1?\x83\xc6\xb2\xbd\xa2I*\xeceN\x91b\xd9\xc2\xa3\xc2\xf3\xc2\x17\x0ch\xeeH\x15\xf4\xc1x\xc7"\xacj\x8a@\x07\xa4+\xa0\xab\xf7\xc2\xb8\xd1\xc8\xd8\xfc\x07\x1b\x12'I!\x90\xb7\x88\xd8\x1a\xbf\xdeq\x98\xe9\xf6=\xedHmH\x84)\x09p\xbb!\x95\xc1qP\x13\xba\x1f\xdd\xf7\\x831\xb2\xd8\x82N\xdfM\x81K\xf5\x95+\xdd\xc2\xcd\xc5"\xc8\x14\x81>\xa6\x18.\xdeh\xd1\x94\xa9k\x13\x0a\x12\xaf\x9c\xe2\xd6\x96\x05\x9e\xb1\xc3\xcaEx\xb8c\xbf\xa1\xaa38g\xa7\x0d\xc0\x99\x83\xbc1<\x0c}\xb9#\x0c\x1a\xb3\x0e\xc4X?`\x15\x8e\xcc\xb9\xa1F#\xb5\x84N3\xc9\xcd\xb4\xf3\x0a{5\xcd\x1a\xd5f\xf8*\xef\x1e\x16\xc1\xef\xea|!\xe9\xaapy&~qx\xaa\xbeY\xa0X\x92'\x83\x89\xf5s\xa5\xeb\x8f&At\x93j\xcc\xe7\xb8(C\x9d
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1171, cap_len=1171, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1157, id=57830, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289394512, ack=2319612788, hl=20, dl=1117, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=1171, cap_len=1171, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=1157, id=57830, DF=T, MF=F, offset=0, ttl=64, p=6, sum=26255, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289394512, ack=2319612788, hl=20, dl=1117, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=735.0 msecs 651.016235 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50808, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289394512, hl=20, dl=0, reserved=0, flags=16, win=3947], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=735.0 msecs 651.016235 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50808, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54105, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289394512, hl=20, dl=0, reserved=0, flags=16, win=3947], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=735.0 msecs 651.016235 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=735.0 msecs 651.016235 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = A
                   [3] seq: count         = 2645
@@ -9280,16 +9232,16 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=50808, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289394512, hl=20, dl=0, reserved=0, flags=16, win=3947], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=50808, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54105, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289394512, hl=20, dl=0, reserved=0, flags=16, win=3947], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=8, num_bytes_ip=2976, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=736.0 msecs 14.842987 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50809, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289395629, hl=20, dl=0, reserved=0, flags=16, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=8, num_bytes_ip=2976, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=736.0 msecs 14.842987 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50809, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54104, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289395629, hl=20, dl=0, reserved=0, flags=16, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=8, num_bytes_ip=2976, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=736.0 msecs 14.842987 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=8, num_bytes_ip=2976, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=736.0 msecs 14.842987 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = A
                   [3] seq: count         = 2645
@@ -9298,20 +9250,20 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=50809, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289395629, hl=20, dl=0, reserved=0, flags=16, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=50809, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54104, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289395629, hl=20, dl=0, reserved=0, flags=16, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=427, id=50811, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289395629, hl=20, dl=387, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=427, id=50811, DF=T, MF=F, offset=0, ttl=243, p=6, sum=53715, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289395629, hl=20, dl=387, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x01~^\x0a\x11^Z\xfb\x1e\x9fV2\x00V\xa4\x7fkj.\x97\xc8\xd7\xbc1\xf5M\xd5\x06\xb6y\xca\xd3\x12#\\x87\xa9\x1d\xad\xbe\xd0\xbe\x88\xb2\x99\x1b\x16mb!\xed\xd0^\x04]\x85\xbdw\x8d\x94\xad!\xea\x08~}\x06\x09\x97\x8c\xf3H\xa0\x10'\x14^977\xf5J\xee\xf7G\xaeV_\xe9\xbdx,\xb4\xb7\xa7\xe7u\xdd\xff\xa4\xf5\x9a\xe8z~Y\x12.\xdb\x1d\x0e\x0c\xe5k\xd9/\xee\xd0;\x94<\xf9~QT\xc7?\xac_\xb3\xae\xd9\x0e;\x1c\xa7\x82\xdavy\xb0\xe8\x1a\xa3\xc6\xdf\x8c\xec\xb4\xe9^\x97\xca\xce\x06\xf3m\x15Nd\x96\xb5-c\xdd(\x9f\xed\x0ag\x05s\xbd\xc3v\x00'\x1b\x86j<@\xb6\xed\x88\x1fZI\x809-GKAu\xb2>" \xa0I\xa90\xbc\x83\xcb\x9f\xd5~\xf0n\xef\xe7\xf3\x7f\x93s0\xc4\xa3\x83\xd8J\x1fPsjx\x83\xe3p\xe6b\x99\xd2\x8d\xa6qV\xbe\xef\x8c\xfc\xed-\xebvLg\xf1\xe5L\xe4\x12\x8c9\x9e\x10%%k\x17\xc9\x8c%=1!\xd7\x08\xc3\xa3r\xe6\xda\xc7\xba\xb4\x7f}\xf9\x15\xfd\xef\xe1\xd0\xb0\x0a\x0a!AT6%\xf8\x1a|\x85\xe5\xd5\x0d\x1a\xad\xb4\x8c\xd4\x123\x80d4s\x15\x0d3\xb4\x83\xe7\xa7,l0\x9dSq:\x1c\x9d\x09&~Q\xc7'u\xe8}Qj\x88\xc3\xcd\x7ft\x80\xcc\xb8\\xfc{\xcb\xaa\xa9\x99xaS\x0c\xab\x81\xfe'}`J\xd4a6\xcb\xe0D\x12\xfa\xbd\x02\xbc\x0c\xc0\x1b\x14Q\x9a\xbd\xd9
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 2645
@@ -9320,16 +9272,16 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x17\x03\x03\x01~^\x0a\x11^Z\xfb\x1e\x9fV2\x00V\xa4\x7fkj.\x97\xc8\xd7\xbc1\xf5M\xd5\x06\xb6y\xca\xd3\x12#\\x87\xa9\x1d\xad\xbe\xd0\xbe\x88\xb2\x99\x1b\x16mb!\xed\xd0^\x04]\x85\xbdw\x8d\x94\xad!\xea\x08~}\x06\x09\x97\x8c\xf3H\xa0\x10'\x14^977\xf5J\xee\xf7G\xaeV_\xe9\xbdx,\xb4\xb7\xa7\xe7u\xdd\xff\xa4\xf5\x9a\xe8z~Y\x12.\xdb\x1d\x0e\x0c\xe5k\xd9/\xee\xd0;\x94<\xf9~QT\xc7?\xac_\xb3\xae\xd9\x0e;\x1c\xa7\x82\xdavy\xb0\xe8\x1a\xa3\xc6\xdf\x8c\xec\xb4\xe9^\x97\xca\xce\x06\xf3m\x15Nd\x96\xb5-c\xdd(\x9f\xed\x0ag\x05s\xbd\xc3v\x00'\x1b\x86j<@\xb6\xed\x88\x1fZI\x809-GKAu\xb2>" \xa0I\xa90\xbc\x83\xcb\x9f\xd5~\xf0n\xef\xe7\xf3\x7f\x93s0\xc4\xa3\x83\xd8J\x1fPsjx\x83\xe3p\xe6b\x99\xd2\x8d\xa6qV\xbe\xef\x8c\xfc\xed-\xebvLg\xf1\xe5L\xe4\x12\x8c9\x9e\x10%%k\x17\xc9\x8c%=1!\xd7\x08\xc3\xa3r\xe6\xda\xc7\xba\xb4\x7f}\xf9\x15\xfd\xef\xe1\xd0\xb0\x0a\x0a!AT6%\xf8\x1a|\x85\xe5\xd5\x0d\x1a\xad\xb4\x8c\xd4\x123\x80d4s\x15\x0d3\xb4\x83\xe7\xa7,l0\x9dSq:\x1c\x9d\x09&~Q\xc7'u\xe8}Qj\x88\xc3\xcd\x7ft\x80\xcc\xb8\\xfc{\xcb\xaa\xa9\x99xaS\x0c\xab\x81\xfe'}`J\xd4a6\xcb\xe0D\x12\xfa\xbd\x02\xbc\x0c\xc0\x1b\x14Q\x9a\xbd\xd9
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=441, cap_len=441, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=427, id=50811, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289395629, hl=20, dl=387, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=441, cap_len=441, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=427, id=50811, DF=T, MF=F, offset=0, ttl=243, p=6, sum=53715, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289395629, hl=20, dl=387, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 0.041962 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=57216, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613175, hl=20, dl=0, reserved=0, flags=16, win=8179], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 0.041962 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=57216, DF=T, MF=F, offset=0, ttl=64, p=6, sum=27986, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613175, hl=20, dl=0, reserved=0, flags=16, win=8179], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 0.041962 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 0.041962 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 2250
@@ -9338,20 +9290,20 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=57216, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613175, hl=20, dl=0, reserved=0, flags=16, win=8179], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=57216, DF=T, MF=F, offset=0, ttl=64, p=6, sum=27986, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613175, hl=20, dl=0, reserved=0, flags=16, win=8179], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=76, id=50813, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613175, ack=3289395629, hl=20, dl=36, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=76, id=50813, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54064, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613175, ack=3289395629, hl=20, dl=36, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x00\x1f\x86\xcbd\x09A\xce\xf6\x10BC*\xde\xe9\x1a\x0e\B\xccr\xbe\xe4\xe4A`+[\x19\x9dh/\x0b
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 3032
@@ -9360,16 +9312,16 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x17\x03\x03\x00\x1f\x86\xcbd\x09A\xce\xf6\x10BC*\xde\xe9\x1a\x0e\B\xccr\xbe\xe4\xe4A`+[\x19\x9dh/\x0b
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=90, cap_len=90, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=76, id=50813, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613175, ack=3289395629, hl=20, dl=36, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=90, cap_len=90, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=76, id=50813, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54064, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613175, ack=3289395629, hl=20, dl=36, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 317.853928 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=61089, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613211, hl=20, dl=0, reserved=0, flags=16, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 317.853928 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=61089, DF=T, MF=F, offset=0, ttl=64, p=6, sum=24113, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613211, hl=20, dl=0, reserved=0, flags=16, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 317.853928 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 317.853928 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 2250
@@ -9378,20 +9330,20 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=61089, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613211, hl=20, dl=0, reserved=0, flags=16, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=61089, DF=T, MF=F, offset=0, ttl=64, p=6, sum=24113, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613211, hl=20, dl=0, reserved=0, flags=16, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=600, id=50815, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613211, ack=3289395629, hl=20, dl=560, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=600, id=50815, DF=T, MF=F, offset=0, ttl=243, p=6, sum=53538, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613211, ack=3289395629, hl=20, dl=560, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x02+\xb3\x16\x88+\x1d\xcc#\xdb\x91;d\xe5&\xa2\xa7\x12\x19W<\xb3m\xe7d\x89\x98f\x98}J\x0c\xdb\x0d\xba\xe1A\xf5\xeb\x90 yY\xa5\x82O\x85\xd0\x02\xbc\x1d\xa6w\x9a\xe8\xfe5\x91\xcfkrwn,\x12\xc0'\xe2\xb5\xf8\xff\x15\xfd\xc9Kq\x1fY\xfb1p\xd6\x11;7\x89\xc4\xddQ]\x19C\xcf\x80\xac\xbc\xa1\x8ch\xb0\x87e3\x85-o\x17\xbc@\xb5M\x82\x82Q\x93$!G1~\xa5"\x8aE\xc3\x83\xd7\x8d\xa1H\xa4\x84\x8c\xab\x84T\xc56\x89\x16\xa9Q\x1d\x8e\xc0\xa0\xe2\x01\x02\x8e=\xce\x7f{\xc6E\xf3Z\xd9\x059\x19:\xfc\x19\xe7Tb6_\x02\x9eH#\x86\xae\xfe\xac\xe3\xbe\xfb\xc2\xb9$;\x0e\x0e,7\x09\xac.\x96\x008\xdax\xbd\xef\x88\x1e@\x98\x97\x97\xb6A\x0c\xf2^\x87\x036\xe3@\x9d\x08\xf5\xb4\x9ay\xd4AIc\x08P\x95\xfd\xde\x9a23\xd8\x047>C\x81g{\x0d\xd9\xb4\x99\xc2\xd5\x8e?\xb9\x1d\x9di\x14\xdd\x98Q\xd4\x12\x18\x07\x02\x1cr\xb8%6T0\xb5l\x1e\xa9\x85U\x8d\xc5=`Q\xa2\x05lF\x96\x9d\xf0\xdd\xe0\xb5T:K\x94O\x81\x97\xaa\xd9\x1dQE\xfd\xa6C\xbc\xd9\xaa\xcc\xef{\x14Z\xfc\x0d\xaez4\x96\xa2q\x91\x9aN{@Y\xef\x1dt\xe06\x9e\xd7\xd9H\xdbw\xed{\xf6\Y\xf4\x96l\xd9\\xb5\x0fH\xcf-\xf1\x1c\xf5\x9a%\x06\x8e\xde\xbbk\xa5\N\xbf\x16\xea_SN\xa4\x1fp\x93TY\x1f\xf0\x08=\x9al\x83)\xf1."z\xd2Z\x1a\xe8.N\xe74\x7f\xa6l};\xe3\x86\x8d\x85v\x0c\x9a\xd3'T\xac\x8a\x9a\\xc0\xdf5h\xd3\xd0\x06<R\xe8\xf1\x1d\x80\xad\x99l\x9d\x96g\xa3\xb3\xfe\xd2\xf5$\x03\xc5r\xa7\x02\xa8\xb2\x93\xbb\xa8!?\x8a&\xd4\x84n\x85s\x9e]\xf5\xcc!\x9f\xeehm+Y\xf9\xee\xc8\xd6\xf46K\x0f\xce'\xef/V\xa6\xaf$\x0f\xdc\xccA*\xbc\xdd'\xe5\x97d\x188\xa9\xd7\x9bxE\xc3\x82I\xa0\xb4\xf4\x09\x1cCL.3\x98\x08FLV.f\xfd\x8a2\xd7\x83\x9c\xfb\x05\xa6\xde\xe10/!\x0a\xa6\x1epWLX\xa7\x05\xc5\x15\xca.w\xdd\xcd\x91\xf6
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 3068
@@ -9400,20 +9352,20 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x17\x03\x03\x02+\xb3\x16\x88+\x1d\xcc#\xdb\x91;d\xe5&\xa2\xa7\x12\x19W<\xb3m\xe7d\x89\x98f\x98}J\x0c\xdb\x0d\xba\xe1A\xf5\xeb\x90 yY\xa5\x82O\x85\xd0\x02\xbc\x1d\xa6w\x9a\xe8\xfe5\x91\xcfkrwn,\x12\xc0'\xe2\xb5\xf8\xff\x15\xfd\xc9Kq\x1fY\xfb1p\xd6\x11;7\x89\xc4\xddQ]\x19C\xcf\x80\xac\xbc\xa1\x8ch\xb0\x87e3\x85-o\x17\xbc@\xb5M\x82\x82Q\x93$!G1~\xa5"\x8aE\xc3\x83\xd7\x8d\xa1H\xa4\x84\x8c\xab\x84T\xc56\x89\x16\xa9Q\x1d\x8e\xc0\xa0\xe2\x01\x02\x8e=\xce\x7f{\xc6E\xf3Z\xd9\x059\x19:\xfc\x19\xe7Tb6_\x02\x9eH#\x86\xae\xfe\xac\xe3\xbe\xfb\xc2\xb9$;\x0e\x0e,7\x09\xac.\x96\x008\xdax\xbd\xef\x88\x1e@\x98\x97\x97\xb6A\x0c\xf2^\x87\x036\xe3@\x9d\x08\xf5\xb4\x9ay\xd4AIc\x08P\x95\xfd\xde\x9a23\xd8\x047>C\x81g{\x0d\xd9\xb4\x99\xc2\xd5\x8e?\xb9\x1d\x9di\x14\xdd\x98Q\xd4\x12\x18\x07\x02\x1cr\xb8%6T0\xb5l\x1e\xa9\x85U\x8d\xc5=`Q\xa2\x05lF\x96\x9d\xf0\xdd\xe0\xb5T:K\x94O\x81\x97\xaa\xd9\x1dQE\xfd\xa6C\xbc\xd9\xaa\xcc\xef{\x14Z\xfc\x0d\xaez4\x96\xa2q\x91\x9aN{@Y\xef\x1dt\xe06\x9e\xd7\xd9H\xdbw\xed{\xf6\Y\xf4\x96l\xd9\\xb5\x0fH\xcf-\xf1\x1c\xf5\x9a%\x06\x8e\xde\xbbk\xa5\N\xbf\x16\xea_SN\xa4\x1fp\x93TY\x1f\xf0\x08=\x9al\x83)\xf1."z\xd2Z\x1a\xe8.N\xe74\x7f\xa6l};\xe3\x86\x8d\x85v\x0c\x9a\xd3'T\xac\x8a\x9a\\xc0\xdf5h\xd3\xd0\x06<R\xe8\xf1\x1d\x80\xad\x99l\x9d\x96g\xa3\xb3\xfe\xd2\xf5$\x03\xc5r\xa7\x02\xa8\xb2\x93\xbb\xa8!?\x8a&\xd4\x84n\x85s\x9e]\xf5\xcc!\x9f\xeehm+Y\xf9\xee\xc8\xd6\xf46K\x0f\xce'\xef/V\xa6\xaf$\x0f\xdc\xccA*\xbc\xdd'\xe5\x97d\x188\xa9\xd7\x9bxE\xc3\x82I\xa0\xb4\xf4\x09\x1cCL.3\x98\x08FLV.f\xfd\x8a2\xd7\x83\x9c\xfb\x05\xa6\xde\xe10/!\x0a\xa6\x1epWLX\xa7\x05\xc5\x15\xca.w\xdd\xcd\x91\xf6
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=614, cap_len=614, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=600, id=50815, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613211, ack=3289395629, hl=20, dl=560, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=614, cap_len=614, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=600, id=50815, DF=T, MF=F, offset=0, ttl=243, p=6, sum=53538, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613211, ack=3289395629, hl=20, dl=560, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=66, id=50817, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613771, ack=3289395629, hl=20, dl=26, reserved=0, flags=24, win=4345], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=66, id=50817, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54070, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613771, ack=3289395629, hl=20, dl=26, reserved=0, flags=24, win=4345], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x00\x15m\xfc&\xad\x07\xf2\xc9\xc3\xd3\xae/X\x8c=\xa4q\xec\xc09M\x1c
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 3628
@@ -9422,16 +9374,16 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x17\x03\x03\x00\x15m\xfc&\xad\x07\xf2\xc9\xc3\xd3\xae/X\x8c=\xa4q\xec\xc09M\x1c
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=80, cap_len=80, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=66, id=50817, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613771, ack=3289395629, hl=20, dl=26, reserved=0, flags=24, win=4345], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=80, cap_len=80, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=66, id=50817, DF=T, MF=F, offset=0, ttl=243, p=6, sum=54070, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613771, ack=3289395629, hl=20, dl=26, reserved=0, flags=24, win=4345], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 666.898727 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=42793, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613771, hl=20, dl=0, reserved=0, flags=16, win=8174], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 666.898727 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=42793, DF=T, MF=F, offset=0, ttl=64, p=6, sum=42409, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613771, hl=20, dl=0, reserved=0, flags=16, win=8174], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 666.898727 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 666.898727 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 2250
@@ -9440,16 +9392,16 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=42793, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613771, hl=20, dl=0, reserved=0, flags=16, win=8174], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=42793, DF=T, MF=F, offset=0, ttl=64, p=6, sum=42409, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613771, hl=20, dl=0, reserved=0, flags=16, win=8174], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=14, num_bytes_ip=2833, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=11881, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613797, hl=20, dl=0, reserved=0, flags=16, win=8173], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=14, num_bytes_ip=2833, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=11881, DF=T, MF=F, offset=0, ttl=64, p=6, sum=7786, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613797, hl=20, dl=0, reserved=0, flags=16, win=8173], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=14, num_bytes_ip=2833, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=14, num_bytes_ip=2833, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 2250
@@ -9458,7 +9410,7 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = 
 
 XXXXXXXXXX.XXXXXX raw_packet
-                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=11881, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613797, hl=20, dl=0, reserved=0, flags=16, win=8173], udp=<uninitialized>, icmp=<uninitialized>]
+                  [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=54, cap_len=54, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=40, id=11881, DF=T, MF=F, offset=0, ttl=64, p=6, sum=7786, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613797, hl=20, dl=0, reserved=0, flags=16, win=8173], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
@@ -9476,10 +9428,10 @@ XXXXXXXXXX.XXXXXX filter_change_tracking
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, hrr_seen=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=F, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha256WithRSAEncryption], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_pending
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=147.0 msecs 503.137589 usecs, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mqtt=<uninitialized>, mqtt_state=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
diff --git a/testing/btest/Baseline/spicy.analyzer-tag/output b/testing/btest/Baseline/spicy.analyzer-tag/output
new file mode 100644
index 0000000000..947980697b
--- /dev/null
+++ b/testing/btest/Baseline/spicy.analyzer-tag/output
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Have analyzer!
+tag: Analyzer::ANALYZER_SPICY_SSH
+name: SPICY_SSH
+
+Do not have analyzer!
diff --git a/testing/btest/Baseline/spicy.conn-id/output b/testing/btest/Baseline/spicy.conn-id/output
new file mode 100644
index 0000000000..bd3e565a86
--- /dev/null
+++ b/testing/btest/Baseline/spicy.conn-id/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+(192.150.186.169, 49244/tcp, 131.159.14.23, 22/tcp)
+(2001:470:1f11:81f:c999:d94:aa7c:2e3e, 49185/tcp, 2001:470:4867:99::21, 21/tcp)
diff --git a/testing/btest/Baseline/spicy.context/output b/testing/btest/Baseline/spicy.context/output
new file mode 100644
index 0000000000..a4cf9692d1
--- /dev/null
+++ b/testing/btest/Baseline/spicy.context/output
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+(b"2.0", b"1.99")
diff --git a/testing/btest/Baseline/spicy.dns/output b/testing/btest/Baseline/spicy.dns/output
new file mode 100644
index 0000000000..d53b87e459
--- /dev/null
+++ b/testing/btest/Baseline/spicy.dns/output
@@ -0,0 +1,3 @@
+[orig_h=192.150.186.169, orig_p=55587/udp, resp_h=192.150.186.8, resp_p=53/udp], [id=29622, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0], www.heise.de, 1, 1
+[orig_h=192.150.186.169, orig_p=55588/udp, resp_h=192.150.186.8, resp_p=53/udp], [id=15429, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0], www.google.com, 1, 1
+[orig_h=192.150.186.169, orig_p=55589/udp, resp_h=192.150.186.8, resp_p=53/udp], [id=27360, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0], www.net.in.tum.de, 1, 1
diff --git a/testing/btest/Baseline/spicy.double-event/output b/testing/btest/Baseline/spicy.double-event/output
new file mode 100644
index 0000000000..5468e641f2
--- /dev/null
+++ b/testing/btest/Baseline/spicy.double-event/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+1, OpenSSH_3.8.1p1
+1, OpenSSH_3.9p1
+2, OpenSSH_3.8.1p1
+2, OpenSSH_3.9p1
diff --git a/testing/btest/Baseline/spicy.double-types/output b/testing/btest/Baseline/spicy.double-types/output
new file mode 100644
index 0000000000..319e263d92
--- /dev/null
+++ b/testing/btest/Baseline/spicy.double-types/output
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+dtest_message, dtest::FUNCS_YES
+dtest_result, dtest::RESULT_YES_AGAIN
+dtest_result_tuple, dtest::FUNCS_YES, dtest::RESULT_YES_AGAIN
diff --git a/testing/btest/Baseline/spicy.event-args-fail-2/output b/testing/btest/Baseline/spicy.event-args-fail-2/output
new file mode 100644
index 0000000000..bc372c9ae4
--- /dev/null
+++ b/testing/btest/Baseline/spicy.event-args-fail-2/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/event-args-fail.evt:2: signature for hook must be: %error or %error(err: string)
+[error] <Spicy Plugin for Zeek>: aborting after errors
diff --git a/testing/btest/Baseline/spicy.event-args-fail-3/output b/testing/btest/Baseline/spicy.event-args-fail-3/output
new file mode 100644
index 0000000000..bc372c9ae4
--- /dev/null
+++ b/testing/btest/Baseline/spicy.event-args-fail-3/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/event-args-fail.evt:2: signature for hook must be: %error or %error(err: string)
+[error] <Spicy Plugin for Zeek>: aborting after errors
diff --git a/testing/btest/Baseline/spicy.event-args-fail-4/output b/testing/btest/Baseline/spicy.event-args-fail-4/output
new file mode 100644
index 0000000000..24978f354d
--- /dev/null
+++ b/testing/btest/Baseline/spicy.event-args-fail-4/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/event-args-fail.evt:2: expected id
+[error] error loading EVT file "<...>/event-args-fail.evt"
diff --git a/testing/btest/Baseline/spicy.event-args-fail-5/output b/testing/btest/Baseline/spicy.event-args-fail-5/output
new file mode 100644
index 0000000000..24978f354d
--- /dev/null
+++ b/testing/btest/Baseline/spicy.event-args-fail-5/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/event-args-fail.evt:2: expected id
+[error] error loading EVT file "<...>/event-args-fail.evt"
diff --git a/testing/btest/Baseline/spicy.event-args-fail-6/output b/testing/btest/Baseline/spicy.event-args-fail-6/output
new file mode 100644
index 0000000000..4aa8c30fd9
--- /dev/null
+++ b/testing/btest/Baseline/spicy.event-args-fail-6/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/event-args-fail.evt:2: expected ':'
+[error] error loading EVT file "<...>/event-args-fail.evt"
diff --git a/testing/btest/Baseline/spicy.event-args-fail/output b/testing/btest/Baseline/spicy.event-args-fail/output
new file mode 100644
index 0000000000..8a0a39ce64
--- /dev/null
+++ b/testing/btest/Baseline/spicy.event-args-fail/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/event-args-fail.evt:10: mismatching type
+[error] error loading EVT file "<...>/event-args-fail.evt"
diff --git a/testing/btest/Baseline/spicy.event-args-mismatch/output b/testing/btest/Baseline/spicy.event-args-mismatch/output
new file mode 100644
index 0000000000..3f6f6338db
--- /dev/null
+++ b/testing/btest/Baseline/spicy.event-args-mismatch/output
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+XXXXXXXXXX.XXXXXX analyzer error in <...>/test.evt, line 6: Event parameter mismatch, cannot convert Spicy value of type 'string' to Zeek value of type 'count'
diff --git a/testing/btest/Baseline/spicy.event-args/output b/testing/btest/Baseline/spicy.event-args/output
new file mode 100644
index 0000000000..32754ee44b
--- /dev/null
+++ b/testing/btest/Baseline/spicy.event-args/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Error message: failed to match regular expression (<...>/test.spicy:7:15)
+Error message: n/a
diff --git a/testing/btest/Baseline/spicy.event-cond/output b/testing/btest/Baseline/spicy.event-cond/output
new file mode 100644
index 0000000000..96e69ffb61
--- /dev/null
+++ b/testing/btest/Baseline/spicy.event-cond/output
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+1, OpenSSH_3.8.1p1
+1, OpenSSH_3.9p1
+3, OpenSSH_3.9p1
+4, OpenSSH_3.8.1p1
+5, OpenSSH_3.8.1p1
diff --git a/testing/btest/Baseline/spicy.event-user-type/output b/testing/btest/Baseline/spicy.event-user-type/output
new file mode 100644
index 0000000000..b2d3b4bb06
--- /dev/null
+++ b/testing/btest/Baseline/spicy.event-user-type/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+is_orig=1 y=[n=1, y=12345]
+is_orig=0 y=[n=2, y=ABCDE]
+is_orig=1 y=[n=3, y=67890]
+is_orig=0 y=[n=4, y=FGHIJ]
diff --git a/testing/btest/Baseline/spicy.export-enum/output b/testing/btest/Baseline/spicy.export-enum/output
new file mode 100644
index 0000000000..a2ba7bf00d
--- /dev/null
+++ b/testing/btest/Baseline/spicy.export-enum/output
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+TupleEnum::TestEnum_A
+TupleEnum::TestEnum_Undef
+    [Type] TupleEnum::TestEnum
diff --git a/testing/btest/Baseline/spicy.export-type-e2e/output b/testing/btest/Baseline/spicy.export-type-e2e/output
new file mode 100644
index 0000000000..97c098fbaf
--- /dev/null
+++ b/testing/btest/Baseline/spicy.export-type-e2e/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[x=71]
+[x=72]
diff --git a/testing/btest/Baseline/spicy.export-type-fail/output b/testing/btest/Baseline/spicy.export-type-fail/output
new file mode 100644
index 0000000000..0c3723bac2
--- /dev/null
+++ b/testing/btest/Baseline/spicy.export-type-fail/output
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] unknown type 'Test::DOES_NOT_EXIST' exported
+[error] unknown type 'NOT_SCOPED' exported
+[error] <...>/foo.spicy:1:13-5:3: cannot export Spicy type 'Test::X': type is self-recursive
+[error] <...>/foo.spicy:9:3-13:3: cannot export Spicy type 'Test::Z': can only convert tuple types with all-named fields to Zeek
+[error] <Spicy Plugin for Zeek>: aborting after errors
diff --git a/testing/btest/Baseline/spicy.export-types/output b/testing/btest/Baseline/spicy.export-types/output
new file mode 100644
index 0000000000..bf6b8458ae
--- /dev/null
+++ b/testing/btest/Baseline/spicy.export-types/output
@@ -0,0 +1,42 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Test::e
+Test::s
+Test::type_enum
+Test::type_enum_A
+Test::type_enum_B
+Test::type_enum_C
+Test::type_enum_Undef
+Test::type_record_u, {
+[s] = [type_name=string, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[u2] = [type_name=record , log=F, value=<uninitialized>, default_val=<uninitialized>],
+[b] = [type_name=bool, log=F, value=<uninitialized>, default_val=<uninitialized>]
+}
+Test::u
+Test::u2
+XYZ::type_record_sss, {
+[a] = [type_name=addr, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[v] = [type_name=vector of string, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[iv] = [type_name=interval, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[t] = [type_name=time, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[s] = [type_name=set[enum], log=F, value=<uninitialized>, default_val=<uninitialized>],
+[p] = [type_name=port, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[b] = [type_name=string, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[i] = [type_name=int, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[o] = [type_name=string, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[m] = [type_name=table[addr] of string, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[u] = [type_name=record , log=F, value=<uninitialized>, default_val=<uninitialized>],
+[j] = [type_name=count, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[e] = [type_name=enum, log=F, value=<uninitialized>, default_val=<uninitialized>],
+[r] = [type_name=double, log=F, value=<uninitialized>, default_val=<uninitialized>]
+}
+type_record_u2, {
+[t] = [type_name=record , log=F, value=<uninitialized>, default_val=<uninitialized>]
+}
+---
+[a=1.2.3.4, b=bytes, e=Test::type_enum_B, i=-10, iv=5.0 secs, j=10, m={
+[4.3.2.1] = addr1,
+[4.3.2.2] = addr2
+}, o=string, p=42/tcp, r=3.14, s={
+Test::type_enum_A,
+Test::type_enum_B
+}, t=0.0, u=[s=S, b=T, u2=[t=[x=S, y=T]]], v=[1, 2, 3]]
diff --git a/testing/btest/Baseline/spicy.file-analysis-data-in-concurrent/output b/testing/btest/Baseline/spicy.file-analysis-data-in-concurrent/output
new file mode 100644
index 0000000000..f8c8eb4e6a
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-analysis-data-in-concurrent/output
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+123456
+AAABBBCCC
+!@#$
diff --git a/testing/btest/Baseline/spicy.file-analysis-data-in/files.log b/testing/btest/Baseline/spicy.file-analysis-data-in/files.log
new file mode 100644
index 0000000000..13ef56de71
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-analysis-data-in/files.log
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+dfe2070c79e7ff36a925ffa327ffe3deecf8f9c2	foo-1.txt
+dfe2070c79e7ff36a925ffa327ffe3deecf8f9c2	foo-2.txt
diff --git a/testing/btest/Baseline/spicy.file-analysis-data-in/output b/testing/btest/Baseline/spicy.file-analysis-data-in/output
new file mode 100644
index 0000000000..8a97453dba
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-analysis-data-in/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+FM47gX3vI5ofQPm1li
+FZjUS57tUkGFTibv3
diff --git a/testing/btest/Baseline/spicy.file-analysis-data-in/x509.log b/testing/btest/Baseline/spicy.file-analysis-data-in/x509.log
new file mode 100644
index 0000000000..a82109b77b
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-analysis-data-in/x509.log
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+01E3B49AA18D8AA981256950B8	CN=GTS CA 1O1,O=Google Trust Services,C=US
+01E3B49AA18D8AA981256950B8	CN=GTS CA 1O1,O=Google Trust Services,C=US
diff --git a/testing/btest/Baseline/spicy.file-analyzer-nested/files b/testing/btest/Baseline/spicy.file-analyzer-nested/files
new file mode 100644
index 0000000000..d4be2a414f
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-analyzer-nested/files
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+SPICY_TEXT2	SPICY_TEXT3	-	text/plain3
+SPICY_TEXT2	SPICY_TEXT3	-	text/plain3
+SPICY_TEXT1	SPICY_TEXT2	-	text/plain2
+HTTP	SPICY_TEXT1	-	text/plain
+HTTP	(empty)	-	text/json
diff --git a/testing/btest/Baseline/spicy.file-analyzer-nested/output b/testing/btest/Baseline/spicy.file-analyzer-nested/output
new file mode 100644
index 0000000000..7ef28af9e7
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-analyzer-nested/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+data2, F2Qpmk14ATv4vFSEsi, from 1:hello world
+data3, FyjjRu4ARLzpsPLhNh, from 2a:from 1:hello world
+data3, Fz3QLf4Bn4qaQwyUdk, from 2b:from 1:hello world
+data1, FcRmxz1fPbKQEgGGUi, hello world
diff --git a/testing/btest/Baseline/spicy.file-analyzer-nested/output-max b/testing/btest/Baseline/spicy.file-analyzer-nested/output-max
new file mode 100644
index 0000000000..c7a6a03585
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-analyzer-nested/output-max
@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+data3, FyjjRu4ARLzpsPLhNh, 
+data3, Fz3QLf4Bn4qaQwyUdk, 
+depth warning, FyjjRu4ARLzpsPLhNh, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0], 2
+depth warning, Fz3QLf4Bn4qaQwyUdk, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0], 2
+data2, F2Qpmk14ATv4vFSEsi, from 1:hello world
+data1, FcRmxz1fPbKQEgGGUi, hello world
diff --git a/testing/btest/Baseline/spicy.file-analyzer-property/output b/testing/btest/Baseline/spicy.file-analyzer-property/output
new file mode 100644
index 0000000000..8a3282b885
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-analyzer-property/output
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+text data, FcRmxz1fPbKQEgGGUi, hello world
diff --git a/testing/btest/Baseline/spicy.file-analyzer/output b/testing/btest/Baseline/spicy.file-analyzer/output
new file mode 100644
index 0000000000..fbaa94308b
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-analyzer/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Files::ANALYZER_SPICY_TEXT
+text data, FcRmxz1fPbKQEgGGUi, hello world
diff --git a/testing/btest/Baseline/spicy.file-analyzer/weird.log b/testing/btest/Baseline/spicy.file-analyzer/weird.log
new file mode 100644
index 0000000000..78c4d901d5
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-analyzer/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	test_weird	FcRmxz1fPbKQEgGGUi	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/spicy.file-data-in-at-offset/output b/testing/btest/Baseline/spicy.file-data-in-at-offset/output
new file mode 100644
index 0000000000..8a97453dba
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-data-in-at-offset/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+FM47gX3vI5ofQPm1li
+FZjUS57tUkGFTibv3
diff --git a/testing/btest/Baseline/spicy.file-data-in-at-offset/x509.log b/testing/btest/Baseline/spicy.file-data-in-at-offset/x509.log
new file mode 100644
index 0000000000..a82109b77b
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-data-in-at-offset/x509.log
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+01E3B49AA18D8AA981256950B8	CN=GTS CA 1O1,O=Google Trust Services,C=US
+01E3B49AA18D8AA981256950B8	CN=GTS CA 1O1,O=Google Trust Services,C=US
diff --git a/testing/btest/Baseline/spicy.file-replaces/output b/testing/btest/Baseline/spicy.file-replaces/output
new file mode 100644
index 0000000000..d3b2cbe683
--- /dev/null
+++ b/testing/btest/Baseline/spicy.file-replaces/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+FTP_DATA	SPICY_PE	-	application/x-dosexec
+FTP_DATA	PE	-	application/x-dosexec
diff --git a/testing/btest/Baseline/spicy.gap-recovery/output b/testing/btest/Baseline/spicy.gap-recovery/output
new file mode 100644
index 0000000000..e0bff6eeee
--- /dev/null
+++ b/testing/btest/Baseline/spicy.gap-recovery/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[$responses=[[$marker=b"HTTP", $len=3070], [$marker=b"HTTP", $len=3070], [$marker=b"HTTP", $len=21999], [$marker=b"HTTP", $len=3070], [$marker=b"HTTP", $len=21999], [$marker=b"HTTP", $len=3070], [$marker=b"HTTP", $len=21999], [$marker=b"HTTP", $len=3070], [$marker=b"HTTP", $len=21999]]]
+[$requests=[[$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"]]]
diff --git a/testing/btest/Baseline/spicy.gap-recovery/output-before-spicy-issue-1303 b/testing/btest/Baseline/spicy.gap-recovery/output-before-spicy-issue-1303
new file mode 100644
index 0000000000..1ea6e7f5fd
--- /dev/null
+++ b/testing/btest/Baseline/spicy.gap-recovery/output-before-spicy-issue-1303
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[$responses=[[$marker=b"HTTP", $len=3070], [$marker=b"HTTP", $len=3070], [$marker=b"HTTP", $len=21999], [$marker=b"HTTP", $len=3070], [$marker=b"HTTP", $len=21999], [$marker=b"HTTP", $len=3070], [$marker=b"HTTP", $len=21999]]]
+[$requests=[[$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"], [$marker=b"GET"]]]
diff --git a/testing/btest/Baseline/spicy.import-from/output b/testing/btest/Baseline/spicy.import-from/output
new file mode 100644
index 0000000000..cbd8dfcf6c
--- /dev/null
+++ b/testing/btest/Baseline/spicy.import-from/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Foo::x, Foo::y
+Foo::x, Foo::y
diff --git a/testing/btest/Baseline/spicy.list-conversion/output b/testing/btest/Baseline/spicy.list-conversion/output
new file mode 100644
index 0000000000..8cd97f2a2d
--- /dev/null
+++ b/testing/btest/Baseline/spicy.list-conversion/output
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp]
+T
+[[a=83, b=84], [a=83, b=84], [a=72, b=73], [a=45, b=46], [a=50, b=51]]
+11824
+11599
diff --git a/testing/btest/Baseline/spicy.module-path/output b/testing/btest/Baseline/spicy.module-path/output
new file mode 100644
index 0000000000..58fb13eb69
--- /dev/null
+++ b/testing/btest/Baseline/spicy.module-path/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Got it
+Got it
diff --git a/testing/btest/Baseline/spicy.multiple-enum/output b/testing/btest/Baseline/spicy.multiple-enum/output
new file mode 100644
index 0000000000..c8c9711862
--- /dev/null
+++ b/testing/btest/Baseline/spicy.multiple-enum/output
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+one, dtest::RESULT_B
diff --git a/testing/btest/Baseline/spicy.network-time/output b/testing/btest/Baseline/spicy.network-time/output
new file mode 100644
index 0000000000..75525822e2
--- /dev/null
+++ b/testing/btest/Baseline/spicy.network-time/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+1584014617531080960
+1584014621661943040
+1584014625494254080
+1584014635499969024
diff --git a/testing/btest/Baseline/spicy.optional/output b/testing/btest/Baseline/spicy.optional/output
new file mode 100644
index 0000000000..274745b8e9
--- /dev/null
+++ b/testing/btest/Baseline/spicy.optional/output
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[x=<uninitialized>]
diff --git a/testing/btest/Baseline/spicy.packet-analyzer-on-ip/output b/testing/btest/Baseline/spicy.packet-analyzer-on-ip/output
new file mode 100644
index 0000000000..8e3eec68ec
--- /dev/null
+++ b/testing/btest/Baseline/spicy.packet-analyzer-on-ip/output
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+MACs: src=00:d0:b7:1e:be:20 dst=00:10:dc:72:4c:5f
+IPs : src=207.158.192.40 dst=10.20.1.31
+raw bytes: 441
diff --git a/testing/btest/Baseline/spicy.packet-analyzer-replaces/output-on b/testing/btest/Baseline/spicy.packet-analyzer-replaces/output-on
new file mode 100644
index 0000000000..7da1ca64df
--- /dev/null
+++ b/testing/btest/Baseline/spicy.packet-analyzer-replaces/output-on
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+My Ethernet:, \x00\x10\xdcrL_\x00\xd0\xb7\x1e\xbe \x08\x00
diff --git a/testing/btest/Baseline/spicy.packet-analyzer-violation/output b/testing/btest/Baseline/spicy.packet-analyzer-violation/output
new file mode 100644
index 0000000000..86d53cbba8
--- /dev/null
+++ b/testing/btest/Baseline/spicy.packet-analyzer-violation/output
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[spicy] test::Foo
diff --git a/testing/btest/Baseline/spicy.packet-analyzer/output b/testing/btest/Baseline/spicy.packet-analyzer/output
new file mode 100644
index 0000000000..11985837fa
--- /dev/null
+++ b/testing/btest/Baseline/spicy.packet-analyzer/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+MACs: src=c8:5b:76:bd:77:ab dst=ff:ff:ff:ff:ff:ff
+raw data, I am encapsulating 
diff --git a/testing/btest/Baseline/spicy.packet-analyzer/weird.log b/testing/btest/Baseline/spicy.packet-analyzer/weird.log
new file mode 100644
index 0000000000..df5e5005e0
--- /dev/null
+++ b/testing/btest/Baseline/spicy.packet-analyzer/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	test_weird	-	F	zeek	SPICY_RAWLAYER
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/spicy.parse-error/dpd.log b/testing/btest/Baseline/spicy.parse-error/dpd.log
new file mode 100644
index 0000000000..8b8724f2b1
--- /dev/null
+++ b/testing/btest/Baseline/spicy.parse-error/dpd.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.150.186.169	49244	131.159.14.23	22	tcp	SPICY_SSH	failed to match regular expression (<...>/test.spicy:9:15) [SSH-2.0-OpenSSH_3.8.1p1\x0a]
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/spicy.port-fail-2/output b/testing/btest/Baseline/spicy.port-fail-2/output
new file mode 100644
index 0000000000..c4d245f758
--- /dev/null
+++ b/testing/btest/Baseline/spicy.port-fail-2/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/port-fail.evt:3: cannot parse port specification
+[error] error loading EVT file "<...>/port-fail.evt"
diff --git a/testing/btest/Baseline/spicy.port-fail-3/output b/testing/btest/Baseline/spicy.port-fail-3/output
new file mode 100644
index 0000000000..e0371b533d
--- /dev/null
+++ b/testing/btest/Baseline/spicy.port-fail-3/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/port-fail.evt:3: start and end of port range must have same protocol
+[error] error loading EVT file "<...>/port-fail.evt"
diff --git a/testing/btest/Baseline/spicy.port-fail-4/output b/testing/btest/Baseline/spicy.port-fail-4/output
new file mode 100644
index 0000000000..04c5deda11
--- /dev/null
+++ b/testing/btest/Baseline/spicy.port-fail-4/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/port-fail.evt:3: start of port range cannot be after its end
+[error] error loading EVT file "<...>/port-fail.evt"
diff --git a/testing/btest/Baseline/spicy.port-fail-5/output b/testing/btest/Baseline/spicy.port-fail-5/output
new file mode 100644
index 0000000000..04c5deda11
--- /dev/null
+++ b/testing/btest/Baseline/spicy.port-fail-5/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/port-fail.evt:3: start of port range cannot be after its end
+[error] error loading EVT file "<...>/port-fail.evt"
diff --git a/testing/btest/Baseline/spicy.port-fail/output b/testing/btest/Baseline/spicy.port-fail/output
new file mode 100644
index 0000000000..24eb09807d
--- /dev/null
+++ b/testing/btest/Baseline/spicy.port-fail/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[error] <...>/port-fail.evt:7: port outside of valid range
+[error] error loading EVT file "<...>/port-fail.evt"
diff --git a/testing/btest/Baseline/spicy.preprocessor-fail-2/output b/testing/btest/Baseline/spicy.preprocessor-fail-2/output
new file mode 100644
index 0000000000..ebe79b98ce
--- /dev/null
+++ b/testing/btest/Baseline/spicy.preprocessor-fail-2/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[debug/zeek] Loading EVT file "<...>/preprocessor-fail.evt"
+[debug/zeek] Loading events from "<...>/preprocessor-fail.evt"
+[error] <...>/preprocessor-fail.evt:4: unterminated preprocessor directive
+[error] error loading EVT file "<...>/preprocessor-fail.evt"
diff --git a/testing/btest/Baseline/spicy.preprocessor-fail-3/output b/testing/btest/Baseline/spicy.preprocessor-fail-3/output
new file mode 100644
index 0000000000..735d25c6a9
--- /dev/null
+++ b/testing/btest/Baseline/spicy.preprocessor-fail-3/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[debug/zeek] Loading EVT file "<...>/preprocessor-fail.evt"
+[debug/zeek] Loading events from "<...>/preprocessor-fail.evt"
+[error] <...>/preprocessor-fail.evt:2: @else without @if
+[error] error loading EVT file "<...>/preprocessor-fail.evt"
diff --git a/testing/btest/Baseline/spicy.preprocessor-fail-4/output b/testing/btest/Baseline/spicy.preprocessor-fail-4/output
new file mode 100644
index 0000000000..e405d7c984
--- /dev/null
+++ b/testing/btest/Baseline/spicy.preprocessor-fail-4/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[debug/zeek] Loading EVT file "<...>/preprocessor-fail.evt"
+[debug/zeek] Loading events from "<...>/preprocessor-fail.evt"
+[error] <...>/preprocessor-fail.evt:2: @endif without @if
+[error] error loading EVT file "<...>/preprocessor-fail.evt"
diff --git a/testing/btest/Baseline/spicy.preprocessor-fail-5/output b/testing/btest/Baseline/spicy.preprocessor-fail-5/output
new file mode 100644
index 0000000000..56ee863366
--- /dev/null
+++ b/testing/btest/Baseline/spicy.preprocessor-fail-5/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[debug/zeek] Loading EVT file "<...>/preprocessor-fail.evt"
+[debug/zeek] Loading events from "<...>/preprocessor-fail.evt"
+[error] <...>/preprocessor-fail.evt:6: unterminated preprocessor directive
+[error] error loading EVT file "<...>/preprocessor-fail.evt"
diff --git a/testing/btest/Baseline/spicy.preprocessor-fail-6/output b/testing/btest/Baseline/spicy.preprocessor-fail-6/output
new file mode 100644
index 0000000000..240ed695d2
--- /dev/null
+++ b/testing/btest/Baseline/spicy.preprocessor-fail-6/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[debug/zeek] Loading EVT file "<...>/preprocessor-fail.evt"
+[debug/zeek] Loading events from "<...>/preprocessor-fail.evt"
+[error] <...>/preprocessor-fail.evt:2: cannot parse integer value
+[error] error loading EVT file "<...>/preprocessor-fail.evt"
diff --git a/testing/btest/Baseline/spicy.preprocessor-fail-7/output b/testing/btest/Baseline/spicy.preprocessor-fail-7/output
new file mode 100644
index 0000000000..240ed695d2
--- /dev/null
+++ b/testing/btest/Baseline/spicy.preprocessor-fail-7/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[debug/zeek] Loading EVT file "<...>/preprocessor-fail.evt"
+[debug/zeek] Loading events from "<...>/preprocessor-fail.evt"
+[error] <...>/preprocessor-fail.evt:2: cannot parse integer value
+[error] error loading EVT file "<...>/preprocessor-fail.evt"
diff --git a/testing/btest/Baseline/spicy.preprocessor-fail/output b/testing/btest/Baseline/spicy.preprocessor-fail/output
new file mode 100644
index 0000000000..334fba930d
--- /dev/null
+++ b/testing/btest/Baseline/spicy.preprocessor-fail/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[debug/zeek] Loading EVT file "<...>/preprocessor-fail.evt"
+[debug/zeek] Loading events from "<...>/preprocessor-fail.evt"
+[error] <...>/preprocessor-fail.evt:7: unterminated preprocessor directive
+[error] error loading EVT file "<...>/preprocessor-fail.evt"
diff --git a/testing/btest/Baseline/spicy.preprocessor-spicy/output b/testing/btest/Baseline/spicy.preprocessor-spicy/output
new file mode 100644
index 0000000000..736578c927
--- /dev/null
+++ b/testing/btest/Baseline/spicy.preprocessor-spicy/output
@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+== spicyz
+    ::hilti::rt::print(std::string("have zeek"), ::hilti::rt::Bool(true));
+    ::hilti::rt::print(std::string("have spicy version"), ::hilti::rt::Bool(true));
+    ::hilti::rt::print(std::string("have spicy version >= 0.4"), ::hilti::rt::Bool(true));
+    ::hilti::rt::print(std::string("not have spicy version >= 4"), ::hilti::rt::Bool(true));
+    ::hilti::rt::print(std::string("have zeek and zeek version > 1.0"), ::hilti::rt::Bool(true));
diff --git a/testing/btest/Baseline/spicy.preprocessor/output b/testing/btest/Baseline/spicy.preprocessor/output
new file mode 100644
index 0000000000..0c77fb42d6
--- /dev/null
+++ b/testing/btest/Baseline/spicy.preprocessor/output
@@ -0,0 +1,9 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[debug/zeek] Loading EVT file "<...>/preprocessor.evt"
+[debug/zeek] Loading events from "<...>/preprocessor.evt"
+[debug/zeek]   Got protocol analyzer definition for YES_1
+[debug/zeek]   Got protocol analyzer definition for YES_2
+[debug/zeek]   Got protocol analyzer definition for YES_3
+[debug/zeek]   Got protocol analyzer definition for YES_4
+[debug/zeek]   Got protocol analyzer definition for YES_5
+[debug/zeek]   Got protocol analyzer definition for YES_6
diff --git a/testing/btest/Baseline/spicy.profiling/output b/testing/btest/Baseline/spicy.profiling/output
new file mode 100644
index 0000000000..596d18cd05
--- /dev/null
+++ b/testing/btest/Baseline/spicy.profiling/output
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+SSH banner, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp], F, 1.99, OpenSSH_3.9p1
+SSH banner, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp], T, 2.0, OpenSSH_3.8.1p1
diff --git a/testing/btest/Baseline/spicy.profiling/prof.log b/testing/btest/Baseline/spicy.profiling/prof.log
new file mode 100644
index 0000000000..30c7611635
--- /dev/null
+++ b/testing/btest/Baseline/spicy.profiling/prof.log
@@ -0,0 +1,22 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+# 
+# Profiling
+# 
+#name count
+hilti/func/SSH::Banner::__on_0x25_done 2
+hilti/func/SSH::Banner::__parse_SSH_Banner_stage2 2
+hilti/func/SSH::Banner::__parse_stage1 2
+hilti/func/SSH::Banner::parse1 2
+hilti/func/SSH::__register_SSH_Banner 1
+hilti/total 1
+spicy/prepare/stream/SSH::Banner 2
+spicy/unit/SSH::Banner 2
+spicy/unit/SSH::Banner::dash 2
+spicy/unit/SSH::Banner::magic 2
+spicy/unit/SSH::Banner::software 2
+spicy/unit/SSH::Banner::version 2
+zeek/event/ssh::banner 2
+zeek/rt/current_conn 2
+zeek/rt/current_is_orig 2
+zeek/rt/event_arg_type 4
+zeek/rt/raise_event 2
diff --git a/testing/btest/Baseline/spicy.protocol-analyzer-data-in/http.log b/testing/btest/Baseline/spicy.protocol-analyzer-data-in/http.log
new file mode 100644
index 0000000000..ef750de38b
--- /dev/null
+++ b/testing/btest/Baseline/spicy.protocol-analyzer-data-in/http.log
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.150.186.169	49244	131.159.14.23	22	1	GET	-	/etc/passwd1	-	1.0	-	-	0	0	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.150.186.169	49244	131.159.14.23	22	2	GET	-	/etc/passwd1.1	-	1.0	-	-	0	0	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.150.186.169	49244	131.159.14.23	22	3	GET	-	/etc/passwd2	-	1.0	-	-	0	0	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/spicy.protocol-analyzer-explicit-forwarding/output b/testing/btest/Baseline/spicy.protocol-analyzer-explicit-forwarding/output
new file mode 100644
index 0000000000..50ec554426
--- /dev/null
+++ b/testing/btest/Baseline/spicy.protocol-analyzer-explicit-forwarding/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ys=only Y
+ys=both Y and Z
+zs=both Y and Z
+ys=only Y after removal of Z
diff --git a/testing/btest/Baseline/spicy.protocol-analyzer-tcp-over-udp/ssh.log b/testing/btest/Baseline/spicy.protocol-analyzer-tcp-over-udp/ssh.log
new file mode 100644
index 0000000000..7edf099750
--- /dev/null
+++ b/testing/btest/Baseline/spicy.protocol-analyzer-tcp-over-udp/ssh.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
+#types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	52806	::1	1234	2	-	0	-	SSH-2.0-OpenSSH_42.2	SSH-2.0-OpenSSH_7.4	-	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/spicy.replaces-mismatch/output b/testing/btest/Baseline/spicy.replaces-mismatch/output
new file mode 100644
index 0000000000..1073ee7fc5
--- /dev/null
+++ b/testing/btest/Baseline/spicy.replaces-mismatch/output
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+fatal error: cannot replace 'Ethernet' analyzer with a protocol analyzer
diff --git a/testing/btest/Baseline/spicy.replaces/output b/testing/btest/Baseline/spicy.replaces/output
new file mode 100644
index 0000000000..924809c5a5
--- /dev/null
+++ b/testing/btest/Baseline/spicy.replaces/output
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Analyzer::ANALYZER_SSH, 3
+SSH banner, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp], F, 1.99, OpenSSH_3.9p1
+SSH banner, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp], T, 2.0, OpenSSH_3.8.1p1
diff --git a/testing/btest/Baseline/spicy.resource-usage/output b/testing/btest/Baseline/spicy.resource-usage/output
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/spicy.resource-usage/output
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/Baseline/spicy.reuse-parser-across-hltos/output b/testing/btest/Baseline/spicy.reuse-parser-across-hltos/output
new file mode 100644
index 0000000000..88a8c40230
--- /dev/null
+++ b/testing/btest/Baseline/spicy.reuse-parser-across-hltos/output
@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+foo, 1.99
+foo, 2.0
+
+bar, 1.99
+bar, 2.0
+
+bar, 1.99
+bar, 2.0
+foo, 1.99
+foo, 2.0
+
+bar, 1.99
+bar, 2.0
+foo, 1.99
+foo, 2.0
diff --git a/testing/btest/Baseline/spicy.ssh-banner/analyzer.log b/testing/btest/Baseline/spicy.ssh-banner/analyzer.log
new file mode 100644
index 0000000000..b60c24d0f9
--- /dev/null
+++ b/testing/btest/Baseline/spicy.ssh-banner/analyzer.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	analyzer
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	cause	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#types	time	string	string	string	string	string	addr	port	addr	port	string	string
+XXXXXXXXXX.XXXXXX	violation	protocol	SPICY_SSH	CHhAvVGS1DHFjwGM9	-	141.142.228.5	53595	54.243.55.129	80	protocol rejected	-
+XXXXXXXXXX.XXXXXX	violation	protocol	SPICY_SSH	CHhAvVGS1DHFjwGM9	-	141.142.228.5	53595	54.243.55.129	80	failed to match regular expression (<...>/ssh.spicy:7:15)	POST /post HTTP/1.1\x0d\x0aUser-Agent: curl/7.
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/spicy.ssh-banner/output b/testing/btest/Baseline/spicy.ssh-banner/output
new file mode 100644
index 0000000000..680dd73714
--- /dev/null
+++ b/testing/btest/Baseline/spicy.ssh-banner/output
@@ -0,0 +1,10 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+=== confirmation
+SSH banner in Foo, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp], F, 1.99, OpenSSH_3.9p1
+SSH banner in Foo, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp], T, 2.0, OpenSSH_3.8.1p1
+SSH banner, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp], F, 1.99, OpenSSH_3.9p1
+SSH banner, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp], T, 2.0, OpenSSH_3.8.1p1
+confirm, Analyzer::ANALYZER_SPICY_SSH
+=== violation
+violation, Analyzer::ANALYZER_SPICY_SSH, failed to match regular expression (<...>/ssh.spicy:7:15)
+violation, Analyzer::ANALYZER_SPICY_SSH, protocol rejected
diff --git a/testing/btest/Baseline/spicy.ssh-banner/weird.log b/testing/btest/Baseline/spicy.ssh-banner/weird.log
new file mode 100644
index 0000000000..7dcdd71aef
--- /dev/null
+++ b/testing/btest/Baseline/spicy.ssh-banner/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.150.186.169	49244	131.159.14.23	22	my_weird	OpenSSH_3.9p1	F	zeek	SPICY_SSH
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/spicy.terminate-session/conn.log b/testing/btest/Baseline/spicy.terminate-session/conn.log
new file mode 100644
index 0000000000..40b3b79600
--- /dev/null
+++ b/testing/btest/Baseline/spicy.terminate-session/conn.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	uid
+#types	string
+CHhAvVGS1DHFjwGM9
+ClEkJM2Vm5giqnMf4h
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/spicy.toggle-protocol-analyzer/output b/testing/btest/Baseline/spicy.toggle-protocol-analyzer/output
new file mode 100644
index 0000000000..0d612ac613
--- /dev/null
+++ b/testing/btest/Baseline/spicy.toggle-protocol-analyzer/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+===
+Spicy: SSH banner, [orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp], T, 2.0, OpenSSH_3.8.1p1
+===
+===
diff --git a/testing/btest/Baseline/spicy.tuple-arg/output b/testing/btest/Baseline/spicy.tuple-arg/output
new file mode 100644
index 0000000000..3d15a46ac5
--- /dev/null
+++ b/testing/btest/Baseline/spicy.tuple-arg/output
@@ -0,0 +1,9 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[i=1, s=OpenSSH_3.8.1p1]
+[i=2, s=OpenSSH_3.8.1p1]
+[i=3, s=<uninitialized>]
+[i=4, s=<uninitialized>]
+[zeek] [SPICY_SSH/3/orig] -> event ssh::banner((1, b"OpenSSH_3.8.1p1"))
+[zeek] [SPICY_SSH/3/orig] -> event ssh::banner((2, b"OpenSSH_3.8.1p1"))
+[zeek] [SPICY_SSH/3/orig] -> event ssh::banner((3, <error: n/a>))
+[zeek] [SPICY_SSH/3/orig] -> event ssh::banner((4, Null))
diff --git a/testing/btest/Baseline/spicy.tuple-enum/output b/testing/btest/Baseline/spicy.tuple-enum/output
new file mode 100644
index 0000000000..dcc1da9f4f
--- /dev/null
+++ b/testing/btest/Baseline/spicy.tuple-enum/output
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[$a=TestEnum::A, $b=83]
+[$a=TestEnum::A, $b=83]
+[i=TupleEnum::TestEnum_A, j=83]
+[i=TupleEnum::TestEnum_A, j=83]
diff --git a/testing/btest/Baseline/spicy.tuple-optional/output b/testing/btest/Baseline/spicy.tuple-optional/output
new file mode 100644
index 0000000000..568248dce7
--- /dev/null
+++ b/testing/btest/Baseline/spicy.tuple-optional/output
@@ -0,0 +1,2 @@
+[i=83, j=83, k=<uninitialized>, s=H-, ss=<uninitialized>]
+[i=83, j=83, k=<uninitialized>, s=H-, ss=<uninitialized>]
diff --git a/testing/btest/Baseline/spicy.type-converter/output b/testing/btest/Baseline/spicy.type-converter/output
new file mode 100644
index 0000000000..aa5ca62e91
--- /dev/null
+++ b/testing/btest/Baseline/spicy.type-converter/output
@@ -0,0 +1,28 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[$a=b"SSH-2", $b=11824, $c=11599, $d=3.14, $e=1.2.3.4, $f=2001:db8::1428:57ab, $g=True, $h="MyString", $i=2011-01-19T05:31:50.500000000Z, $j=4.000000s, $r=[$i=11, $s=(not set)], $s={1, 2, 3}, $t=(47, "foo"), $v=[b"A", b"B", b"C"], $l=[b"A", b"B", b"C"], $m={1: "A", 2: "B", 3: "C"}]
+[orig_h=192.150.186.169, orig_p=49244/tcp, resp_h=131.159.14.23, resp_p=22/tcp]
+T
+SSH-2
+11824
+11599
+3.14
+1.2.3.4
+2001:db8::1428:57ab
+T
+MyString
+XXXXXXXXXX.XXXXXX
+4.000000, interval
+[i=11, s=<uninitialized>]
+{
+2,
+1,
+3
+}
+[i=47, s=foo]
+[A, B, C]
+[A, B, C]
+{
+[2] = B,
+[1] = A,
+[3] = C
+}
diff --git a/testing/btest/Baseline/spicy.udp/output b/testing/btest/Baseline/spicy.udp/output
new file mode 100644
index 0000000000..59667ecab1
--- /dev/null
+++ b/testing/btest/Baseline/spicy.udp/output
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Analyzer::ANALYZER_SPICY_UDP_TEST
+UDP packet, [orig_h=127.0.0.1, orig_p=12345/udp, resp_h=127.0.0.1, resp_p=31337/udp], T, 12345\x0a
+UDP packet, [orig_h=127.0.0.1, orig_p=12345/udp, resp_h=127.0.0.1, resp_p=31337/udp], F, ABCDE\x0a
+UDP packet, [orig_h=127.0.0.1, orig_p=12345/udp, resp_h=127.0.0.1, resp_p=31337/udp], T, 67890\x0a
+UDP packet, [orig_h=127.0.0.1, orig_p=12345/udp, resp_h=127.0.0.1, resp_p=31337/udp], F, FGHIJ\x0a
diff --git a/testing/btest/Baseline/supervisor.config-cluster-multi-logger/logs.out b/testing/btest/Baseline/supervisor.config-cluster-multi-logger/logs.out
new file mode 100644
index 0000000000..a9a0561636
--- /dev/null
+++ b/testing/btest/Baseline/supervisor.config-cluster-multi-logger/logs.out
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+zeek/log-queue/test__XXXX-XX-XX-XX-XX-XX__XXXX-XX-XX-XX-XX-XX__log_suffix=logger-1__.log
+zeek/log-queue/test__XXXX-XX-XX-XX-XX-XX__XXXX-XX-XX-XX-XX-XX__log_suffix=logger-2__.log
diff --git a/testing/btest/Traces/dns/long-connection.pcap b/testing/btest/Traces/dns/long-connection.pcap
new file mode 100644
index 0000000000..c2ff478357
Binary files /dev/null and b/testing/btest/Traces/dns/long-connection.pcap differ
diff --git a/testing/btest/Traces/dns/proto255.pcap b/testing/btest/Traces/dns/proto255.pcap
new file mode 100644
index 0000000000..a54d7240f4
Binary files /dev/null and b/testing/btest/Traces/dns/proto255.pcap differ
diff --git a/testing/btest/Traces/ntp/misordered-ntp.pcap b/testing/btest/Traces/ntp/misordered-ntp.pcap
new file mode 100644
index 0000000000..d2118414fe
Binary files /dev/null and b/testing/btest/Traces/ntp/misordered-ntp.pcap differ
diff --git a/testing/btest/Traces/pe/pe-single.trace b/testing/btest/Traces/pe/pe-single.trace
new file mode 100644
index 0000000000..0d87463e76
Binary files /dev/null and b/testing/btest/Traces/pe/pe-single.trace differ
diff --git a/testing/btest/Traces/smb/smb2_100_small_files.pcap b/testing/btest/Traces/smb/smb2_100_small_files.pcap
new file mode 100644
index 0000000000..4bc38dc36a
Binary files /dev/null and b/testing/btest/Traces/smb/smb2_100_small_files.pcap differ
diff --git a/testing/btest/Traces/snap-arp.pcap b/testing/btest/Traces/snap-arp.pcap
new file mode 100644
index 0000000000..00ae343ee6
Binary files /dev/null and b/testing/btest/Traces/snap-arp.pcap differ
diff --git a/testing/btest/Traces/spicy/gap-recovery.pcap b/testing/btest/Traces/spicy/gap-recovery.pcap
new file mode 100644
index 0000000000..b806213ca9
Binary files /dev/null and b/testing/btest/Traces/spicy/gap-recovery.pcap differ
diff --git a/testing/btest/Traces/spicy/packet-analyzer-violation.pcap b/testing/btest/Traces/spicy/packet-analyzer-violation.pcap
new file mode 100644
index 0000000000..3aa4bf87c1
Binary files /dev/null and b/testing/btest/Traces/spicy/packet-analyzer-violation.pcap differ
diff --git a/testing/btest/Traces/spicy/raw-layer.pcap b/testing/btest/Traces/spicy/raw-layer.pcap
new file mode 100644
index 0000000000..5e4ed891dc
Binary files /dev/null and b/testing/btest/Traces/spicy/raw-layer.pcap differ
diff --git a/testing/btest/Traces/ssh/single-conn.trace b/testing/btest/Traces/ssh/single-conn.trace
new file mode 100644
index 0000000000..a05ec98249
Binary files /dev/null and b/testing/btest/Traces/ssh/single-conn.trace differ
diff --git a/testing/btest/Traces/ssh/ssh-over-udp.pcap b/testing/btest/Traces/ssh/ssh-over-udp.pcap
new file mode 100644
index 0000000000..5a70f6b849
Binary files /dev/null and b/testing/btest/Traces/ssh/ssh-over-udp.pcap differ
diff --git a/testing/btest/Traces/ticks-dns-1hr.pcap b/testing/btest/Traces/ticks-dns-1hr.pcap
new file mode 100644
index 0000000000..ea0fc4401b
Binary files /dev/null and b/testing/btest/Traces/ticks-dns-1hr.pcap differ
diff --git a/testing/btest/Traces/ticks-dns.pcap b/testing/btest/Traces/ticks-dns.pcap
new file mode 100644
index 0000000000..41a9b3d74b
Binary files /dev/null and b/testing/btest/Traces/ticks-dns.pcap differ
diff --git a/testing/btest/Traces/tls/dtls13-cid.pcap b/testing/btest/Traces/tls/dtls13-cid.pcap
new file mode 100644
index 0000000000..c3943b22a3
Binary files /dev/null and b/testing/btest/Traces/tls/dtls13-cid.pcap differ
diff --git a/testing/btest/Traces/tls/dtls13-wolfssl.pcap b/testing/btest/Traces/tls/dtls13-wolfssl.pcap
new file mode 100644
index 0000000000..20b1b8ae96
Binary files /dev/null and b/testing/btest/Traces/tls/dtls13-wolfssl.pcap differ
diff --git a/testing/btest/Traces/tls/tls1.2-protocol-violation.pcap b/testing/btest/Traces/tls/tls1.2-protocol-violation.pcap
new file mode 100644
index 0000000000..76a51c00c9
Binary files /dev/null and b/testing/btest/Traces/tls/tls1.2-protocol-violation.pcap differ
diff --git a/testing/btest/Traces/tunnels/geneve-47101.pcap b/testing/btest/Traces/tunnels/geneve-47101.pcap
new file mode 100644
index 0000000000..0bf57934b0
Binary files /dev/null and b/testing/btest/Traces/tunnels/geneve-47101.pcap differ
diff --git a/testing/btest/Traces/tunnels/geneve-vxlan-dns-truncated.pcap b/testing/btest/Traces/tunnels/geneve-vxlan-dns-truncated.pcap
new file mode 100644
index 0000000000..237704a8af
Binary files /dev/null and b/testing/btest/Traces/tunnels/geneve-vxlan-dns-truncated.pcap differ
diff --git a/testing/btest/Traces/tunnels/gre-aruba-amsdu.pcap b/testing/btest/Traces/tunnels/gre-aruba-amsdu.pcap
new file mode 100644
index 0000000000..064d87bcc8
Binary files /dev/null and b/testing/btest/Traces/tunnels/gre-aruba-amsdu.pcap differ
diff --git a/testing/btest/Traces/tunnels/gre-aruba-ccmp.pcap b/testing/btest/Traces/tunnels/gre-aruba-ccmp.pcap
new file mode 100644
index 0000000000..8a03264421
Binary files /dev/null and b/testing/btest/Traces/tunnels/gre-aruba-ccmp.pcap differ
diff --git a/testing/btest/Traces/udp-packet.pcap b/testing/btest/Traces/udp-packet.pcap
new file mode 100644
index 0000000000..5dc0f1fc8a
Binary files /dev/null and b/testing/btest/Traces/udp-packet.pcap differ
diff --git a/testing/btest/bifs/disable_analyzer-invalid-aid.zeek b/testing/btest/bifs/disable_analyzer-invalid-aid.zeek
new file mode 100644
index 0000000000..5738a80575
--- /dev/null
+++ b/testing/btest/bifs/disable_analyzer-invalid-aid.zeek
@@ -0,0 +1,15 @@
+# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT >out 2>&1
+# @TEST-EXEC: btest-diff out
+# @TEST-DOC: Validates that one can use disable_analyzer even for analyzers without parent. This is a regression test for #3071.
+
+event new_connection(c: connection)
+	{
+	# Iterate over a range of analyzer IDs. This range should include e.g.,
+	# `TCP` which has no parent analyzer.
+	local i = 0;
+	while ( i < 200 )
+		{
+		disable_analyzer(c$id, i, F, T);
+		++i;
+		}
+	}
diff --git a/testing/btest/bifs/from_json.zeek b/testing/btest/bifs/from_json.zeek
new file mode 100644
index 0000000000..e6b9ca2351
--- /dev/null
+++ b/testing/btest/bifs/from_json.zeek
@@ -0,0 +1,137 @@
+# @TEST-EXEC: zeek -b %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff .stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+
+module A;
+
+type Color: enum {
+	Red = 10,
+	White = 20,
+	Blue = 30
+};
+
+type Foo: record {
+	hello: string;
+	t: bool;
+	f: bool;
+	n: count &optional;
+	m: count &optional;  # not in input
+	def: count &default = 123;
+	i: int;
+	pi: double;
+	a: string_vec;
+	c1: Color;
+	p: port;
+	ti: time;
+	it: interval;
+	ad: addr;
+	s: subnet;
+	re: pattern;
+	su: subnet_set;
+	se: set[addr, port];
+};
+
+event zeek_init()
+	{
+	local json = "{\"hello\":\"world\",\"t\":true,\"f\":false,\"se\":[[\"192.168.0.1\", \"80/tcp\"], [\"2001:db8::1\", \"8080/udp\"]],\"n\":null,\"i\":123,\"pi\":3.1416,\"a\":[\"1\",\"2\",\"3\",\"4\"],\"su\":[\"[aa:bb::0]/32\",\"192.168.0.0/16\"],\"c1\":\"A::Blue\",\"p\":\"1500/tcp\",\"it\":5000,\"ad\":\"127.0.0.1\",\"s\":\"[::1/128]\",\"re\":\"/a/\",\"ti\":1681652265.042767}";
+	print from_json(json, Foo);
+	}
+
+@TEST-START-NEXT
+# argument type mismatch
+event zeek_init()
+	{
+	print from_json("[]", 10);
+	}
+
+@TEST-START-NEXT
+# JSON parse error
+event zeek_init()
+	{
+	print from_json("{\"hel", string_vec);
+	}
+
+@TEST-START-NEXT
+type bool_t: bool;
+type Foo: record {
+	a: bool;
+};
+
+# type mismatch error
+event zeek_init()
+	{
+	print from_json("[]", bool_t);
+	print from_json("{\"a\": \"hello\"}", Foo);
+	}
+
+@TEST-START-NEXT
+# type unsupport error
+event zeek_init()
+	{
+	print from_json("[]", table_string_of_string);
+	}
+
+@TEST-START-NEXT
+type port_t: port;
+# wrong port format
+event zeek_init()
+	{
+	print from_json("\"80\"", port_t);
+	}
+
+@TEST-START-NEXT
+type set_t: set[int, bool];
+# index type doesn't match
+event zeek_init()
+	{
+	print from_json("[[1, false], [2]]", set_t);
+	print from_json("[[1, false], [2, 1]]", set_t);
+	}
+
+@TEST-START-NEXT
+type pattern_t: pattern;
+# pattern compile error
+event zeek_init()
+	{
+	print from_json("\"/([[:print:]]{-}[[:alnum:]]foo)/\"", pattern_t);
+	}
+
+@TEST-START-NEXT
+type Color: enum {
+	Red = 10
+};
+# enum error
+event zeek_init()
+	{
+	print from_json("\"Yellow\"", Color);
+	}
+
+@TEST-START-NEXT
+# container null
+event zeek_init()
+	{
+	print from_json("[\"fe80::/64\",null,\"192.168.0.0/16\"]", subnet_set);
+	print from_json("[\"1\",null,\"3\",\"4\"]", string_vec);
+	}
+
+@TEST-START-NEXT
+type Foo: record {
+	hello: string;
+	t: bool;
+};
+# record field null or missing
+event zeek_init()
+	{
+	print from_json("{\"t\":null}", Foo);
+	print from_json("{\"hello\": null, \"t\": true}", Foo);
+	}
+
+@TEST-START-NEXT
+type Foo: record {
+	hello: string;
+};
+# extra fields are alright
+event zeek_init()
+	{
+	print from_json("{\"hello\": \"Hello!\", \"t\": true}", Foo);
+	}
diff --git a/testing/btest/bifs/math.zeek b/testing/btest/bifs/math.zeek
index 63999b9a27..d3fe0189f6 100644
--- a/testing/btest/bifs/math.zeek
+++ b/testing/btest/bifs/math.zeek
@@ -14,6 +14,11 @@ event zeek_init()
 	print floor(c);
 	print floor(d);
 
+	print ceil(a);
+	print ceil(b);
+	print ceil(c);
+	print ceil(d);
+
 	print sqrt(a);
 
 	print exp(a);
@@ -22,5 +27,7 @@ event zeek_init()
 
 	print log10(a);
 
+	print log2(a);
+
 	print pow(a, b);
 	}
diff --git a/testing/btest/bifs/records_fields.zeek b/testing/btest/bifs/records_fields.zeek
index 72120b5015..ad54afe534 100644
--- a/testing/btest/bifs/records_fields.zeek
+++ b/testing/btest/bifs/records_fields.zeek
@@ -52,7 +52,9 @@ event zeek_init()
     local t: record_field_table;
     t = record_fields(x);
     print t;
-    print t["c"]?$value;
+    print "c value", t["c"]?$value;
+    print "c default ", t["c"]?$default_val;
+    print "c optional", t["c"]$optional;
 
     t = record_fields(x$e);
     print t;
diff --git a/testing/btest/broker/remote_event_auto_ts.zeek b/testing/btest/broker/remote_event_auto_ts.zeek
new file mode 100644
index 0000000000..31bc2da59f
--- /dev/null
+++ b/testing/btest/broker/remote_event_auto_ts.zeek
@@ -0,0 +1,82 @@
+# @TEST-GROUP: broker
+#
+# @TEST-PORT: BROKER_PORT
+#
+# @TEST-EXEC: btest-bg-run recv "zeek -b ../recv.zeek >recv.out"
+# @TEST-EXEC: btest-bg-run send "zeek -b -r $TRACES/ticks-dns-1hr.pcap ../send.zeek >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+# @TEST-START-FILE send.zeek
+
+redef exit_only_after_terminate = T;
+
+global runs = 0;
+global ping: event(msg: string, intended_ts: time);
+
+event zeek_init()
+	{
+	suspend_processing();
+	Broker::subscribe("zeek/event/my_topic");
+	Broker::auto_publish("zeek/event/my_topic", ping);
+	Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print fmt("sender added peer: endpoint=%s msg=%s",
+		endpoint$network$address, msg);
+	continue_processing();
+	}
+
+event new_connection(c: connection)
+	{
+	print fmt(">> Run %s (%D)", ++runs, network_time());
+
+	event ping("my-message-a", network_time());
+	schedule 30 mins { ping("my-message-c", network_time() + 30 mins) };
+	schedule 15 mins { ping("my-message-b", network_time() + 15 mins) };
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print fmt("sender lost peer: endpoint=%s msg=%s",
+	endpoint$network$address, msg);
+	terminate();
+	}
+
+# @TEST-END-FILE
+
+
+# @TEST-START-FILE recv.zeek
+
+redef exit_only_after_terminate = T;
+
+global msg_count = 0;
+
+event zeek_init()
+	{
+	Broker::subscribe("zeek/event/my_topic");
+	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+	}
+
+event ping(msg: string, intended_ts: time) &is_used
+	{
+	if ( ++msg_count >= 10 )
+		{
+		terminate();
+		return;
+		}
+
+	print fmt("receiver got ping: %s intended for %D stamped to %D (is_remote = %s)",
+		msg, intended_ts, current_event_time(), is_remote_event());
+	}
+
+# @TEST-END-FILE
diff --git a/testing/btest/broker/remote_event_ts.zeek b/testing/btest/broker/remote_event_ts.zeek
new file mode 100644
index 0000000000..e4f2f508d1
--- /dev/null
+++ b/testing/btest/broker/remote_event_ts.zeek
@@ -0,0 +1,77 @@
+# @TEST-GROUP: broker
+#
+# @TEST-PORT: BROKER_PORT
+#
+# @TEST-EXEC: btest-bg-run recv "zeek -b ../recv.zeek >recv.out"
+# @TEST-EXEC: btest-bg-run send "zeek -b -r $TRACES/ticks-dns-1hr.pcap ../send.zeek >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+# @TEST-START-FILE send.zeek
+
+redef exit_only_after_terminate = T;
+
+global runs = 0;
+global ping: event(msg: string, intended_ts: time);
+
+event zeek_init()
+	{
+	Broker::subscribe("zeek/event/my_topic");
+	Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
+	suspend_processing();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print fmt("sender added peer: endpoint=%s msg=%s",
+		endpoint$network$address, msg);
+	continue_processing();
+	}
+
+event new_connection(c: connection)
+	{
+	print fmt(">> Run %s (%D)", ++runs, network_time());
+
+	local e = Broker::make_event(ping, "my-message", network_time());
+	Broker::publish("zeek/event/my_topic", e);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print fmt("sender lost peer: endpoint=%s msg=%s",
+	endpoint$network$address, msg);
+	terminate();
+	}
+
+# @TEST-END-FILE
+
+
+# @TEST-START-FILE recv.zeek
+
+redef exit_only_after_terminate = T;
+
+global msg_count = 0;
+
+event zeek_init()
+		{
+		Broker::subscribe("zeek/event/my_topic");
+		Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
+		}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+		{
+		print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+		}
+
+event ping(msg: string, intended_ts: time)
+	{
+	print fmt("receiver got ping: %s intended for %D stamped to %D (is_remote = %s)",
+		msg, intended_ts, current_event_time(), is_remote_event());
+
+	if ( ++msg_count >= 10 )
+		terminate();
+	}
+
+# @TEST-END-FILE
diff --git a/testing/btest/broker/remote_event_ts_compat.zeek b/testing/btest/broker/remote_event_ts_compat.zeek
new file mode 100644
index 0000000000..8e73b1078c
--- /dev/null
+++ b/testing/btest/broker/remote_event_ts_compat.zeek
@@ -0,0 +1,92 @@
+# @TEST-DOC: Test compatibility with peers sending events without timestamps.
+#
+# @TEST-GROUP: broker
+# @TEST-PORT: BROKER_PORT
+#
+# @TEST-REQUIRES: python3 -V
+# @TEST-REQUIRES: TOPIC=/zeek/my_topic python3 client.py check
+#
+# @TEST-EXEC: TOPIC=/zeek/my_topic btest-bg-run server "zeek %INPUT >output"
+# @TEST-EXEC: TOPIC=/zeek/my_topic btest-bg-run client "python3 ../client.py >output"
+#
+# @TEST-EXEC: btest-bg-wait 45
+# @TEST-EXEC: btest-diff server/output
+# @TEST-EXEC: btest-diff client/output
+
+redef exit_only_after_terminate = T;
+redef allow_network_time_forward = F;
+
+event zeek_init()
+	{
+	Broker::subscribe(getenv("TOPIC"));
+	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
+	set_network_time(double_to_time(42.0));
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print fmt("added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print fmt("lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+	terminate();
+	}
+
+event my_event(msg: string) &is_used
+	{
+	print fmt("got my_event(%s) stamped to %s at network time %s",
+		msg, current_event_time(), network_time());
+	}
+
+
+@TEST-START-FILE client.py
+"""
+Python script sending timestamped and non-timestamped event to TOPIC
+"""
+import datetime
+import os
+import sys
+
+# Prep the PYTHONPATH for the build directory.
+broker_path = os.path.join(os.environ["BUILD"], "auxil", "broker", "python")
+sys.path.insert(0, broker_path)
+
+import broker
+
+# 1024/tcp
+broker_port = int(os.environ["BROKER_PORT"].split("/")[0])
+broker_topic = os.environ["TOPIC"]
+
+# We were able to import broker and parse the broker_port, should be good.
+if len(sys.argv) > 1 and sys.argv[1] == "check":
+	sys.exit(0)
+
+# Setup endpoint and connect to Zeek.
+with broker.Endpoint() as ep, \
+	 ep.make_status_subscriber(True) as ss:
+
+	ep.peer("127.0.0.1", broker_port)
+	st = ss.get(2)
+	if not (st[0].code() == broker.SC.EndpointDiscovered and
+		    st[1].code() == broker.SC.PeerAdded):
+		print("could not connect")
+		exit(0)
+
+	# Send events and close connection
+	print("send event without timestamp")
+	my_event = broker.zeek.Event("my_event", "without ts")
+	ep.publish(broker_topic, my_event)
+
+	print("send event with timestamp")
+	ts = datetime.datetime.fromtimestamp(23.0, broker.utc)
+	metadata = {
+		broker.zeek.MetadataType.NetworkTimestamp: ts,
+	}
+	my_event = broker.zeek.Event("my_event", "with ts", metadata=metadata)
+	ep.publish(broker_topic, my_event)
+
+	ep.shutdown()
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/web-socket-events-metadata.zeek b/testing/btest/broker/web-socket-events-metadata.zeek
new file mode 100644
index 0000000000..52b1c8ab3b
--- /dev/null
+++ b/testing/btest/broker/web-socket-events-metadata.zeek
@@ -0,0 +1,148 @@
+# @TEST-GROUP: broker
+#
+# This test requires the websockets module, available via
+# "pip install websockets".
+# @TEST-REQUIRES: python3 -c 'import websockets'
+#
+# @TEST-PORT: BROKER_PORT
+#
+# @TEST-EXEC: btest-bg-run server "zeek -b %INPUT >output"
+# @TEST-EXEC: btest-bg-run client "python3 ../client.py >output"
+#
+# @TEST-EXEC: btest-bg-wait 5
+# @TEST-EXEC: btest-diff client/output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff server/output
+
+redef allow_network_time_forward = F;
+redef exit_only_after_terminate = T;
+redef Broker::disable_ssl = T;
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event zeek_init()
+    {
+    # Tue 18 Apr 2023 12:13:14 PM UTC
+    set_network_time(double_to_time(1681819994.0));
+    Broker::subscribe("/zeek/event/my_topic");
+    Broker::listen_websocket("127.0.0.1", to_port(getenv("BROKER_PORT")));
+    }
+
+function send_event()
+    {
+    ++event_count;
+    local e = Broker::make_event(ping, "my-message", event_count);
+    Broker::publish("/zeek/event/my_topic", e);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: count) &is_used
+    {
+    print fmt("sender got pong: %s, %s network_time=%s current_event_time=%s",
+              msg, n, network_time(), current_event_time());
+    set_network_time(network_time() + 10sec);
+    send_event();
+    }
+
+
+@TEST-START-FILE client.py
+import asyncio, datetime, websockets, os, time, json, sys
+
+ws_port = os.environ['BROKER_PORT'].split('/')[0]
+ws_url = 'ws://localhost:%s/v1/messages/json' % ws_port
+topic = '"/zeek/event/my_topic"'
+
+def broker_value(type, val):
+    return {
+            '@data-type': type,
+            'data': val
+            }
+
+async def do_run():
+    # Try up to 30 times.
+    connected  = False
+    for i in range(30):
+        try:
+            ws = await websockets.connect(ws_url)
+            connected  = True
+
+            # send filter and wait for ack
+            await ws.send('[%s]' % topic)
+            ack_json = await ws.recv()
+            ack = json.loads(ack_json)
+            if not 'type' in ack or ack['type'] != 'ack':
+                print('*** unexpected ACK from server:')
+                print(ack_json)
+                sys.exit()
+        except Exception as e:
+            if not connected:
+                print('failed to connect to %s, try again (%s)' % (ws_url, e), file=sys.stderr)
+                await asyncio.sleep(1)
+                continue
+            else:
+                print('exception: %s' % e, file=sys.stderr)
+                sys.exit()
+
+        for round in range(3):
+            # wait for ping
+            msg = await ws.recv()
+            msg = json.loads(msg)
+            if not 'type' in msg or msg['type'] != 'data-message':
+                print("unexpected type", msg)
+                continue
+            ping = msg['data'][2]['data']
+            if len(ping) < 3:
+                print("no metadata on event")
+                continue
+
+            name = ping[0]['data']
+            args = [x['data'] for x in ping[1]['data']]
+            metadata = ping[2]['data']
+            print(name, "args", args, "metadata", metadata)
+
+            # send pong
+            dt = datetime.datetime.utcfromtimestamp(1681819994 + args[1])
+            ts_str = dt.isoformat('T', 'milliseconds')
+            pong = [
+                broker_value('string', 'pong'),
+                broker_value('vector', [
+                    broker_value('string', args[0]),
+                    broker_value('count', args[1]),
+                ]),
+                broker_value('vector', [
+                    broker_value('vector', [
+                        broker_value('count', 1),  # network_timestamp
+                        broker_value('timestamp', ts_str),
+                    ]),
+                ]),
+           ]
+
+            ev = [broker_value('count', 1), broker_value('count', 1), broker_value('vector', pong)]
+            msg = {
+                'type': 'data-message',
+                'topic': '/zeek/event/my_topic',
+                '@data-type': 'vector', 'data': ev
+            }
+
+            msg = json.dumps(msg)
+            await ws.send(msg)
+
+        await ws.close()
+        sys.exit()
+
+loop = asyncio.get_event_loop()
+loop.run_until_complete(do_run())
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/web-socket-events.zeek b/testing/btest/broker/web-socket-events.zeek
index b94ef9c362..9002b803b4 100644
--- a/testing/btest/broker/web-socket-events.zeek
+++ b/testing/btest/broker/web-socket-events.zeek
@@ -84,7 +84,7 @@ async def do_run():
         except Exception as e:
             if not connected:
                 print('failed to connect to %s, try again (%s)' % (ws_url, e), file=sys.stderr)
-                time.sleep(1)
+                await asyncio.sleep(1)
                 continue
             else:
                 print('exception: %s' % e, file=sys.stderr)
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 447715534d..535e51befb 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -4,7 +4,7 @@
 build_dir = build
 
 [btest]
-TestDirs    = doc bifs language core scripts coverage signatures plugins broker spicy supervisor telemetry javascript
+TestDirs    = af_packet doc bifs language core scripts coverage signatures plugins broker spicy supervisor telemetry javascript
 TmpDir      = %(testbase)s/.tmp
 BaselineDir = %(testbase)s/Baseline
 IgnoreDirs  = .svn CVS .tmp
@@ -13,12 +13,13 @@ MinVersion  = 0.63
 
 [environment]
 ZEEKPATH=`bash -c %(testbase)s/../../%(build_dir)s/zeek-path-dev`
+HILTI_CXX_COMPILER_LAUNCHER=`f=%(testbase)s/../../%(build_dir)s/CMakeCache.txt && grep -q '^ENABLE_CCACHE:BOOL=true' $f && sed -n 's/^CCACHE_PROGRAM:FILEPATH=\(.*\)$/\1/p' $f`
 ZEEK_SEED_FILE=%(testbase)s/random.seed
 ZEEK_PLUGIN_PATH=
 TZ=UTC
 LC_ALL=C
 BTEST_PATH=%(testbase)s/../../auxil/btest
-PATH=%(testbase)s/../../%(build_dir)s/src%(pathsep)s%(testbase)s/../scripts%(pathsep)s%(testbase)s/../../auxil/btest%(pathsep)s%(testbase)s/../../%(build_dir)s/auxil/zeek-aux/zeek-cut%(pathsep)s%(testbase)s/../../auxil/btest/sphinx%(pathsep)s%(default_path)s%(pathsep)s/sbin
+PATH=%(testbase)s/../../%(build_dir)s/src%(pathsep)s%(testbase)s/../scripts%(pathsep)s%(testbase)s/../../auxil/btest%(pathsep)s%(testbase)s/../../%(build_dir)s/auxil/zeek-aux/zeek-cut%(pathsep)s%(testbase)s/../../%(build_dir)s/auxil/spicy/bin%(pathsep)s%(testbase)s/../../%(build_dir)s/src/spicy/spicyz%(pathsep)s%(testbase)s/../../auxil/btest/sphinx%(pathsep)s%(default_path)s%(pathsep)s/sbin
 TRACES=%(testbase)s/Traces
 FILES=%(testbase)s/Files
 SCRIPTS=%(testbase)s/../scripts
@@ -39,6 +40,8 @@ ZEEK_SUPERVISOR_NO_SIGKILL=1
 UBSAN_OPTIONS=print_stacktrace=1
 SPICY_PATH=`bash -c %(testbase)s/../../%(build_dir)s/spicy-path`
 HILTI_CXX_INCLUDE_DIRS=`bash -c %(testbase)s/../../%(build_dir)s/hilti-cxx-include-dirs`
+ZEEK_SPICY_MODULE_PATH=/does/not/exist
+ZEEK_SPICY_LIBRARY_PATH=%(testbase)s/../../scripts/spicy
 
 [environment-AST-dup]
 # Environment for testing AST duplication functionality, which is
diff --git a/testing/btest/core/checksums-cli.test b/testing/btest/core/checksums-cli.test
index 705addbf22..9216545573 100644
--- a/testing/btest/core/checksums-cli.test
+++ b/testing/btest/core/checksums-cli.test
@@ -1,3 +1,6 @@
+# Skip for C++ testing, since not all of the tests use the same script.
+# @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
+
 # This verifies the interaction between the -C flag and the script-layer
 # ignore_checksums global.
 #
diff --git a/testing/btest/core/load-unload.zeek b/testing/btest/core/load-unload.zeek
index 4c4458ea16..3079939b5e 100644
--- a/testing/btest/core/load-unload.zeek
+++ b/testing/btest/core/load-unload.zeek
@@ -1,13 +1,18 @@
 # This tests the @unload directive
 #
-# @TEST-EXEC: zeek -b unload misc/loaded-scripts dontloadme > output
+# @TEST-EXEC: zeek -b unload misc/loaded-scripts dontloadme pkg-dontloadme > output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: grep dontloadme loaded_scripts.log && exit 1 || exit 0
 
 @TEST-START-FILE unload.zeek
 @unload dontloadme
+@unload pkg-dontloadme
 @TEST-END-FILE
 
 @TEST-START-FILE dontloadme.zeek
 print "Loaded: dontloadme.zeek";
 @TEST-END-FILE
+
+@TEST-START-FILE pkg-dontloadme/__load__.zeek
+print "Loaded: pkg-dontloadme/__load__.zeek";
+@TEST-END-FILE
diff --git a/testing/btest/core/network_time/broker.zeek b/testing/btest/core/network_time/broker.zeek
index 9419fb5d3f..7ec26a7a03 100644
--- a/testing/btest/core/network_time/broker.zeek
+++ b/testing/btest/core/network_time/broker.zeek
@@ -11,6 +11,8 @@
 
 redef allow_network_time_forward = F;
 
+global timer_tock: event();
+
 event zeek_init()
 	{
 	print network_time(), "zeek_init: broker peering";
@@ -34,7 +36,8 @@ event timer(s: string)
 	print fmt("%.3f", network_time()), "timer", s;
 	}
 
-# The manager tells us our network_time.
+# The manager sends timer_tick() with the network time to the worker which
+# replies back with a timer_tock().
 global received_ticks = 0;
 event timer_tick(ts: time) &is_used
 	{
@@ -48,10 +51,12 @@ event timer_tick(ts: time) &is_used
 		{
 		schedule 0.5sec { timer("first timer (1 sec)") };
 		schedule 3sec { timer("second timer (3 sec)") };
-		schedule 3.25sec { timer("third timer (3.5 sec)") };
+		schedule 3.25sec { timer("third timer (3.25 sec)") };
 		schedule 5sec { timer("fourth timer (10 sec)") };
 		}
 
+	Broker::publish("zeek/event/my_topic", timer_tock);
+
 	if ( received_ticks == 30 )
 		terminate();
 	}
@@ -74,20 +79,21 @@ event zeek_init()
 	{
 	print "manager: listening";
 	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
+	Broker::subscribe("zeek/event/my_topic");
 	}
 
-event local_tick() {
+# Received from the worker once it has processed the tick.
+event timer_tock() &is_used
+	{
 	fake_network_time = fake_network_time + double_to_interval(0.25);
 	Broker::publish("zeek/event/my_topic", timer_tick, fake_network_time);
-	schedule 0.05 sec { local_tick() };
-}
+	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
-        {
-        print "manager: peer added, publishing do_continue_processing";
+	{
+	print "manager: peer added, publishing timer_tick() events";
 	Broker::publish("zeek/event/my_topic", timer_tick, fake_network_time);
-	schedule 0.05 sec { local_tick() };
-        }
+	}
 
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
diff --git a/testing/btest/core/raw-truncation.zeek b/testing/btest/core/raw-truncation.zeek
new file mode 100644
index 0000000000..0b6f61f60b
--- /dev/null
+++ b/testing/btest/core/raw-truncation.zeek
@@ -0,0 +1,11 @@
+# @TEST-DOC: Test that raw_packet works correctly with a truncated packet
+# @TEST-EXEC: zeek -r $TRACES/trunc/trunc-hdr.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+
+event raw_packet(p: raw_pkt_hdr) {
+        if ( ! p?$ip )
+                return;
+
+        if ( p$ip$hl != 20 )
+                print p$ip;
+}
\ No newline at end of file
diff --git a/testing/btest/core/seed-errors.zeek b/testing/btest/core/seed-errors.zeek
new file mode 100644
index 0000000000..da7538584b
--- /dev/null
+++ b/testing/btest/core/seed-errors.zeek
@@ -0,0 +1,16 @@
+# @TEST-DOC: Test specifying the same seeds via ZEEK_SEED
+# @TEST-EXEC: seq 21 > random.seed
+# @TEST-EXEC: echo "file does not exist" >> output
+# @TEST-EXEC-FAIL: ZEEK_SEED_FILE=./does/not-exist zeek -b %INPUT >> output 2>&1
+# @TEST-EXEC: echo "cannot use ZEEK_SEED_FILE and ZEEK_SEED" >> output
+# @TEST-EXEC-FAIL: ZEEK_SEED_FILE=./does/not-exist ZEEK_SEED_VALUES="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" zeek -b %INPUT >> output 2>&1
+# @TEST-EXEC: echo "cannot use -G and ZEEK_SEED" >> output
+# @TEST-EXEC-FAIL: ZEEK_SEED_FILE= ZEEK_SEED_VALUES="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" zeek -G ./random.seed -b %INPUT >> output 2>&1
+# @TEST-EXEC: echo "wrong format (1)" >> output
+# @TEST-EXEC-FAIL: ZEEK_SEED_FILE= ZEEK_SEED_VALUES="a b c 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" zeek -b %INPUT >> output 2>&1
+# @TEST-EXEC: echo "wrong format (2)" >> output
+# @TEST-EXEC-FAIL: ZEEK_SEED_FILE= ZEEK_SEED_VALUES="0 0 0" zeek -b %INPUT >> output 2>&1
+
+# @TEST-EXEC: btest-diff output
+
+print rand(500000), unique_id("C");
diff --git a/testing/btest/core/seed.zeek b/testing/btest/core/seed.zeek
new file mode 100644
index 0000000000..57804927fc
--- /dev/null
+++ b/testing/btest/core/seed.zeek
@@ -0,0 +1,21 @@
+# @TEST-DOC: Test specifying seeds via ZEEK_SEED_VALUES
+# @TEST-EXEC: echo "test seed" >> output
+# @TEST-EXEC: zeek -b %INPUT >> output
+# @TEST-EXEC: bash -c 'ZEEK_SEED_VALUES=$(paste -d " " $ZEEK_SEED_FILE) ZEEK_SEED_FILE= zeek -b %INPUT' >> output
+# @TEST-EXEC: echo "1 to 21" >> output
+# @TEST-EXEC: bash -c 'ZEEK_SEED_FILE= ZEEK_SEED_VALUES=$(echo {1..21}) zeek -b %INPUT ' >> output
+# @TEST-EXEC: ZEEK_SEED_FILE= ZEEK_SEED_VALUES="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21" zeek -b %INPUT >> output
+# @TEST-EXEC: echo "21 x 0, deterministic" >> output
+# @TEST-EXEC: ZEEK_SEED_FILE= ZEEK_SEED_VALUES="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" zeek -b %INPUT >> output
+# @TEST-EXEC: ZEEK_SEED_FILE= zeek -D -b %INPUT >> output
+# @TEST-EXEC: echo "different" >> output
+# @TEST-EXEC: ZEEK_SEED_FILE= ZEEK_SEED_VALUES="10 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1" zeek -b %INPUT >> output
+# @TEST-EXEC: ZEEK_SEED_FILE= ZEEK_SEED_VALUES="20 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2" zeek -b %INPUT >> output
+# @TEST-EXEC: ZEEK_SEED_FILE= ZEEK_SEED_VALUES="30 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3" zeek -b %INPUT >> output
+# @TEST-EXEC: echo "writing seeds (twice)" >> output
+# @TEST-EXEC: ZEEK_SEED_FILE= ZEEK_SEED_VALUES="0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21" zeek -b %INPUT -H seeds.out >> output
+# @TEST-EXEC: ZEEK_SEED_FILE= ZEEK_SEED_VALUES="0 1 2 3 4 5 6 7 8 9 10 9 8 7 6 5 4 3 2 1 0" zeek -b %INPUT -H seeds.out >> output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff seeds.out
+
+print rand(500000), unique_id("C");
diff --git a/testing/btest/core/tunnels/geneve-47101.zeek b/testing/btest/core/tunnels/geneve-47101.zeek
new file mode 100644
index 0000000000..afc33d02ca
--- /dev/null
+++ b/testing/btest/core/tunnels/geneve-47101.zeek
@@ -0,0 +1,8 @@
+# @TEST-DOC: Tests a pcap containing a packet of size 14196 bytes with GENEVE encapsulation. Regression test for #2683.
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/geneve-47101.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/frameworks/tunnels
+@load base/protocols/conn
+@load base/protocols/ssl
diff --git a/testing/btest/core/tunnels/geneve-vxlan-truncated.zeek b/testing/btest/core/tunnels/geneve-vxlan-truncated.zeek
new file mode 100644
index 0000000000..ff1e2b3ae1
--- /dev/null
+++ b/testing/btest/core/tunnels/geneve-vxlan-truncated.zeek
@@ -0,0 +1,8 @@
+# @TEST-DOC: Tests truncated packets tunneled via VXLAN inside GENEVE
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/geneve-vxlan-dns-truncated.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/frameworks/tunnels
+@load base/protocols/conn
+@load base/protocols/dns
diff --git a/testing/btest/core/tunnels/gre-aruba-amsdu.zeek b/testing/btest/core/tunnels/gre-aruba-amsdu.zeek
new file mode 100644
index 0000000000..975c96a871
--- /dev/null
+++ b/testing/btest/core/tunnels/gre-aruba-amsdu.zeek
@@ -0,0 +1,7 @@
+# @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 QoS A-MSDU headers. This is testing that the tunnel is detected and that the conn byte size contains both A-MSDU subframe packets.
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-amsdu.pcap %INPUT
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+
+@load base/protocols/conn
+@load base/frameworks/tunnels
diff --git a/testing/btest/core/tunnels/gre-aruba-ccmp.zeek b/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
new file mode 100644
index 0000000000..3f095ab6a1
--- /dev/null
+++ b/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
@@ -0,0 +1,4 @@
+# @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 CCMP headers. This should report a weird about encrypted data.
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-ccmp.pcap %INPUT
+
+@load base/frameworks/notice/weird
diff --git a/testing/btest/coverage/bare-mode-errors.test b/testing/btest/coverage/bare-mode-errors.test
index 07a022a468..be4beaa541 100644
--- a/testing/btest/coverage/bare-mode-errors.test
+++ b/testing/btest/coverage/bare-mode-errors.test
@@ -4,6 +4,9 @@
 # Commonly, this test may fail if one forgets to @load some base/ scripts
 # when writing a new zeek scripts.
 #
+# Require Spicy, otherwise its scripts cannot be loaded.
+# @TEST-REQUIRES: have-spicy
+#
 # @TEST-EXEC: test -d $DIST/scripts
 # @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.zeek`; do zeek -b --parse-only $script >>errors 2>&1; done
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="grep -v -e 'Use the external.*bro-simple-scan package' -e 'The MQTT scripts have been moved out of policy/' | $SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-sort" btest-diff errors
diff --git a/testing/btest/coverage/init-default.test b/testing/btest/coverage/init-default.test
index a79a63413e..9dd4b1d1c7 100644
--- a/testing/btest/coverage/init-default.test
+++ b/testing/btest/coverage/init-default.test
@@ -7,6 +7,9 @@
 # (e.g. cluster operation), and in such cases, the missing_loads baseline
 # can be adjusted to tolerate that.
 
+# Require Spicy, otherwise baselines change.
+# @TEST-REQUIRES: have-spicy
+
 #@TEST-EXEC: test -d $DIST/scripts/base
 #@TEST-EXEC: test -e $DIST/scripts/base/init-default.zeek
 #@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.zeek' ) | sort >"all scripts found"
diff --git a/testing/btest/coverage/test-all-policy-cluster.test b/testing/btest/coverage/test-all-policy-cluster.test
new file mode 100644
index 0000000000..a189747f6e
--- /dev/null
+++ b/testing/btest/coverage/test-all-policy-cluster.test
@@ -0,0 +1,42 @@
+# @TEST-DOC: Start each node type and ensure there are no unexpected warnings to be seen
+#
+# @TEST-PORT: BROKER_PORT1
+# @TEST-PORT: BROKER_PORT2
+# @TEST-PORT: BROKER_PORT3
+# @TEST-PORT: BROKER_PORT4
+#
+# @TEST-EXEC: CLUSTER_NODE=manager zeek %INPUT
+# @TEST-EXEC: CLUSTER_NODE=logger-1 zeek %INPUT
+# @TEST-EXEC: CLUSTER_NODE=proxy-1 zeek %INPUT
+# @TEST-EXEC: CLUSTER_NODE=worker-1 zeek %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v "scan.zeek.*deprecated script" | $SCRIPTS/diff-remove-abspath' btest-diff .stderr
+
+@load base/frameworks/cluster
+@load misc/loaded-scripts
+
+@load test-all-policy
+
+@TEST-START-FILE cluster-layout.zeek
+redef Cluster::nodes = {
+	["manager"]  = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
+	["logger-1"] = [$node_type=Cluster::LOGGER,  $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager"],
+	["proxy-1"]  = [$node_type=Cluster::PROXY,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager"],
+	["worker-1"] = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT4")), $manager="manager"],
+};
+
+@TEST-END-FILE
+
+# Make this a single-node cluster-layout so no connection attempts happen
+# to other nodes.
+redef Cluster::nodes = {
+	[Cluster::node] = Cluster::nodes[Cluster::node],
+};
+
+# Avoid rotation commands to be executed.
+redef Log::default_rotation_interval = 0sec;
+
+event zeek_init()
+	{
+	print Cluster::node, "zeek_init()";
+	terminate();
+	}
diff --git a/testing/btest/language/bro_init.zeek b/testing/btest/language/bro_init.zeek
deleted file mode 100644
index 0beda04a7b..0000000000
--- a/testing/btest/language/bro_init.zeek
+++ /dev/null
@@ -1,12 +0,0 @@
-# @TEST-EXEC-FAIL: zeek -b %INPUT >out 2>&1
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
-
-event bro_init()
-	{
-	print "ran bro_init()";
-	}
-
-event bro_done()
-	{
-	print "ran bro_done()";
-	}
diff --git a/testing/btest/language/bro_script_loaded.zeek b/testing/btest/language/bro_script_loaded.zeek
deleted file mode 100644
index fb3d080a31..0000000000
--- a/testing/btest/language/bro_script_loaded.zeek
+++ /dev/null
@@ -1,8 +0,0 @@
-# @TEST-EXEC-FAIL: zeek -b %INPUT >out 2>&1
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
-
-event bro_script_loaded(path: string, level: count) &priority=5
-	{
-	if ( /zeek_script_loaded.zeek/ in path )
-		print "bro_script_loaded priority 5";
-	}
diff --git a/testing/btest/language/event-ts-scheduled.zeek b/testing/btest/language/event-ts-scheduled.zeek
new file mode 100644
index 0000000000..bc0088845f
--- /dev/null
+++ b/testing/btest/language/event-ts-scheduled.zeek
@@ -0,0 +1,20 @@
+# @TEST-EXEC: zeek -b -r $TRACES/ticks-dns-1hr.pcap %INPUT > out
+# @TEST-EXEC: btest-diff out
+
+global runs = 0;
+
+event test(schedule_time: time)
+	{
+	print fmt("[%D] Test was scheduled at %D for %D", network_time(),
+		schedule_time, current_event_time());
+	}
+
+event new_connection(c: connection)
+	{
+	local nt = network_time();
+	print fmt(">> Run %s (%D)", runs, nt);
+	schedule 30 mins { test(nt) };
+	schedule 15 mins { test(nt) };
+	print fmt("<< Run %s (%D)", runs, nt);
+	++runs;
+	}
diff --git a/testing/btest/language/event-ts.zeek b/testing/btest/language/event-ts.zeek
new file mode 100644
index 0000000000..f35c3e5994
--- /dev/null
+++ b/testing/btest/language/event-ts.zeek
@@ -0,0 +1,28 @@
+# @TEST-EXEC: zeek -b -r $TRACES/ticks-dns.pcap %INPUT > out
+# @TEST-EXEC: btest-diff out
+
+# Note: We use a PCAP with DNS queries only so that we have a single packet per
+# time step. Thus the run loop will be executed only once per time step.
+
+global runs = -1;
+
+event test(depth: count)
+	{
+	if ( depth == 0 )
+		return;
+
+	print fmt("[%D] Test %s was scheduled at %D", network_time(), depth, current_event_time());
+	event test(--depth);
+	}
+
+event new_connection(c: connection)
+	{
+	print fmt(">> Run %s (%D):", ++runs, network_time());
+	# Descend into recursion to enqueue events until we add an event that will
+	# be handled in the next run loop iteration, i.e. at a different timestamp
+	# than it was enqueued. Use four levels of recursion as every drain of the
+	# event queue handles two layers and the event queue is drained two times.
+	# First after processing a packet and second in the run loop. Finally, we
+	# expect an event so that network_time() > current_event_time().
+	event test(4);
+	}
diff --git a/testing/btest/language/vector.zeek b/testing/btest/language/vector.zeek
index 798fd7e15c..d8bb810181 100644
--- a/testing/btest/language/vector.zeek
+++ b/testing/btest/language/vector.zeek
@@ -223,4 +223,10 @@ event zeek_init()
 	local v23 = v6 >> four_ones;
 	test_case( "left shift", all_set(v22 == vector(20, 40, 60, 80)) );
 	test_case( "right shift", all_set(v23 == vector(5, 10, 15, 20)) );
+
+	# negative indices
+	local v24 = vector( 1, 2, 3, 4, 5 );
+	test_case( "negative index", v24[-1] == 5 );
+	test_case( "negative index", v24[-3] == 3 );
+
 }
diff --git a/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt b/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt
index 9632726412..0175e1da6d 100644
--- a/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt
@@ -1,9 +1,8 @@
-
 project(Zeek-Plugin-Foo-FOO)
 
-cmake_minimum_required(VERSION 3.5)
+cmake_minimum_required(VERSION 3.15)
 
-if ( NOT ZEEK_DIST )
+if (NOT ZEEK_DIST)
     message(FATAL_ERROR "ZEEK_DIST not set")
 endif ()
 
diff --git a/testing/btest/plugins/conflict-plugin/CMakeLists.txt b/testing/btest/plugins/conflict-plugin/CMakeLists.txt
index 7864acc7d1..64c10fac4f 100644
--- a/testing/btest/plugins/conflict-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/conflict-plugin/CMakeLists.txt
@@ -1,9 +1,8 @@
-
 project(Zeek-Plugin-Conflict-Plugin)
 
-cmake_minimum_required(VERSION 3.5)
+cmake_minimum_required(VERSION 3.15)
 
-if ( NOT ZEEK_DIST )
+if (NOT ZEEK_DIST)
     message(FATAL_ERROR "ZEEK_DIST not set")
 endif ()
 
diff --git a/testing/btest/plugins/file-plugin/CMakeLists.txt b/testing/btest/plugins/file-plugin/CMakeLists.txt
index 6fc782e2ca..e57542dd9b 100644
--- a/testing/btest/plugins/file-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/file-plugin/CMakeLists.txt
@@ -1,9 +1,8 @@
-
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 3.5)
+cmake_minimum_required(VERSION 3.15)
 
-if ( NOT BRO_DIST )
+if (NOT BRO_DIST)
     message(FATAL_ERROR "BRO_DIST not set")
 endif ()
 
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
index accc871375..99cf4eafd9 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
@@ -1,11 +1,11 @@
 #include "Plugin.h"
 
-#include <Conn.h>
-#include <Desc.h>
-#include <Event.h>
-#include <Func.h>
-#include <RunState.h>
-#include <threading/Formatter.h>
+#include <zeek/Conn.h>
+#include <zeek/Desc.h>
+#include <zeek/Event.h>
+#include <zeek/Func.h>
+#include <zeek/RunState.h>
+#include <zeek/threading/Formatter.h>
 #include <cstring>
 #include <set>
 
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h
index c95d9a82bc..21727786dd 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.h
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h
@@ -1,7 +1,7 @@
 
 #pragma once
 
-#include <plugin/Plugin.h>
+#include <zeek/plugin/Plugin.h>
 
 namespace btest::plugin::Demo_Hooks
 	{
diff --git a/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt b/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt
index dcac95fbb6..d245a214ad 100644
--- a/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt
@@ -1,9 +1,8 @@
-
 project(Zeek-Packet-Plugin-Demo)
 
-cmake_minimum_required(VERSION 3.5)
+cmake_minimum_required(VERSION 3.15)
 
-if ( NOT ZEEK_DIST )
+if (NOT ZEEK_DIST)
     message(FATAL_ERROR "ZEEK_DIST not set")
 endif ()
 
@@ -14,6 +13,5 @@ include(ZeekPlugin)
 zeek_plugin_begin(PacketDemo Bar)
 zeek_plugin_cc(src/Plugin.cc)
 zeek_plugin_cc(src/RawLayer.cc)
-zeek_plugin_cc(src/LLCDemo.cc)
 zeek_plugin_bif(src/events.bif)
 zeek_plugin_end()
diff --git a/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek b/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek
index 80083daff0..5e8715bbe2 100644
--- a/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek
+++ b/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek
@@ -1,2 +1 @@
 @load PacketDemo/RawLayer/base/main
-@load PacketDemo/LLCDemo/base/main
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
deleted file mode 100644
index 05b969607a..0000000000
--- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "LLCDemo.h"
-
-#include "zeek/Event.h"
-#include "zeek/Val.h"
-#include "zeek/session/Manager.h"
-
-#include "events.bif.h"
-
-using namespace zeek::packet_analysis::PacketDemo;
-
-LLCDemo::LLCDemo() : zeek::packet_analysis::Analyzer("LLC_Demo") { }
-
-bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
-	{
-	// Rudimentary parsing of 802.2 LLC
-	if ( 17 >= len )
-		{
-		session_mgr->Weird("truncated_llc_header", packet);
-		return false;
-		}
-
-	auto dsap = data[14];
-	auto ssap = data[15];
-	auto control = data[16];
-
-	event_mgr.Enqueue(llc_demo_message, val_mgr->Count(dsap), val_mgr->Count(ssap),
-	                  val_mgr->Count(control));
-
-	return true;
-	}
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h
deleted file mode 100644
index 626357644c..0000000000
--- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#pragma once
-
-#include "zeek/packet_analysis/Analyzer.h"
-#include "zeek/packet_analysis/Component.h"
-
-namespace zeek::packet_analysis::PacketDemo
-	{
-
-class LLCDemo : public Analyzer
-	{
-public:
-	LLCDemo();
-	~LLCDemo() override = default;
-
-	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
-
-	static AnalyzerPtr Instantiate() { return std::make_shared<LLCDemo>(); }
-	};
-
-	}
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc
index a046c6d361..dbcf221eff 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc
@@ -1,6 +1,5 @@
 #include "Plugin.h"
 
-#include "LLCDemo.h"
 #include "RawLayer.h"
 #include "packet_analysis/Component.h"
 
@@ -14,12 +13,10 @@ public:
 		{
 		AddComponent(new zeek::packet_analysis::Component(
 			"Raw_Layer", zeek::packet_analysis::PacketDemo::RawLayer::Instantiate));
-		AddComponent(new zeek::packet_analysis::Component(
-			"LLC_Demo", zeek::packet_analysis::PacketDemo::LLCDemo::Instantiate));
 
 		zeek::plugin::Configuration config;
 		config.name = "PacketDemo::Bar";
-		config.description = "Demo packet analyzers (RawLayer, LLC).";
+		config.description = "Demo packet analyzers (RawLayer).";
 		config.version.major = 1;
 		config.version.minor = 0;
 		config.version.patch = 0;
diff --git a/testing/btest/plugins/packet-protocol-plugin/src/events.bif b/testing/btest/plugins/packet-protocol-plugin/src/events.bif
index d70f3e1ea1..4f1f4fec9b 100644
--- a/testing/btest/plugins/packet-protocol-plugin/src/events.bif
+++ b/testing/btest/plugins/packet-protocol-plugin/src/events.bif
@@ -1,3 +1,2 @@
 
 event raw_layer_message%(message: string, protocol: count%);
-event llc_demo_message%(dsap: count, ssap: count, control: count%);
diff --git a/testing/btest/plugins/packet-protocol.zeek b/testing/btest/plugins/packet-protocol.zeek
index edf371b85c..96129e879a 100644
--- a/testing/btest/plugins/packet-protocol.zeek
+++ b/testing/btest/plugins/packet-protocol.zeek
@@ -16,9 +16,6 @@
 # @TEST-EXEC: test ! -e unknown_protocols.log
 # @TEST-EXEC: btest-diff output_raw
 # @TEST-EXEC: rm -f *.log
-#
-# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_packets.trace %INPUT > output_llc
-# @TEST-EXEC: btest-diff output_llc
 
 @load policy/misc/unknown-protocols
 
diff --git a/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt b/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt
index f611ab6b80..9b59801cae 100644
--- a/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt
@@ -1,9 +1,8 @@
-
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 3.5)
+cmake_minimum_required(VERSION 3.15)
 
-if ( NOT ZEEK_DIST )
+if (NOT ZEEK_DIST)
     message(FATAL_ERROR "ZEEK_DIST not set")
 endif ()
 
diff --git a/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt b/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt
index f611ab6b80..9b59801cae 100644
--- a/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt
@@ -1,9 +1,8 @@
-
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 3.5)
+cmake_minimum_required(VERSION 3.15)
 
-if ( NOT ZEEK_DIST )
+if (NOT ZEEK_DIST)
     message(FATAL_ERROR "ZEEK_DIST not set")
 endif ()
 
diff --git a/testing/btest/plugins/protocol-plugin/CMakeLists.txt b/testing/btest/plugins/protocol-plugin/CMakeLists.txt
index 53a50f3961..da3e5c3940 100644
--- a/testing/btest/plugins/protocol-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/protocol-plugin/CMakeLists.txt
@@ -1,9 +1,8 @@
-
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 3.5)
+cmake_minimum_required(VERSION 3.15)
 
-if ( NOT ZEEK_DIST )
+if (NOT ZEEK_DIST)
     message(FATAL_ERROR "ZEEK_DIST not set")
 endif ()
 
diff --git a/testing/btest/plugins/reader-plugin/CMakeLists.txt b/testing/btest/plugins/reader-plugin/CMakeLists.txt
index f611ab6b80..9b59801cae 100644
--- a/testing/btest/plugins/reader-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/reader-plugin/CMakeLists.txt
@@ -1,9 +1,8 @@
-
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 3.5)
+cmake_minimum_required(VERSION 3.15)
 
-if ( NOT ZEEK_DIST )
+if (NOT ZEEK_DIST)
     message(FATAL_ERROR "ZEEK_DIST not set")
 endif ()
 
diff --git a/testing/btest/plugins/writer-plugin/CMakeLists.txt b/testing/btest/plugins/writer-plugin/CMakeLists.txt
index f611ab6b80..9b59801cae 100644
--- a/testing/btest/plugins/writer-plugin/CMakeLists.txt
+++ b/testing/btest/plugins/writer-plugin/CMakeLists.txt
@@ -1,9 +1,8 @@
-
 project(Zeek-Plugin-Demo-Foo)
 
-cmake_minimum_required(VERSION 3.5)
+cmake_minimum_required(VERSION 3.15)
 
-if ( NOT ZEEK_DIST )
+if (NOT ZEEK_DIST)
     message(FATAL_ERROR "ZEEK_DIST not set")
 endif ()
 
diff --git a/testing/btest/plugins/zeek-version-link.zeek b/testing/btest/plugins/zeek-version-link.zeek
new file mode 100644
index 0000000000..d1e06b8d61
--- /dev/null
+++ b/testing/btest/plugins/zeek-version-link.zeek
@@ -0,0 +1,6 @@
+# @TEST-DOC: Poking at internals: Expect an undefined zeek_version_X_Y_Z_plugin symbol in the plugin's .so/.dynlib. If this test turns out to be brittle, remove it, but we lost the mechanism.
+# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Foo
+# @TEST-EXEC: cp -r %DIR/pktsrc-plugin/* .
+# @TEST-EXEC: (./configure --zeek-dist=${DIST} && VERBOSE=1 make) >&2
+# @TEST-EXEC: nm -u build/lib/Demo-Foo* > undefined.out
+# @TEST-EXEC:  grep -E 'zeek_version_[0-9]+_[0-9]+_[0-9]+.*_plugin_[0-9]+' undefined.out
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek
index eff665fccb..d72b2f77b2 100644
--- a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek
@@ -10,15 +10,13 @@
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: btest-diff manager-1/.stdout
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
 	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
 	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"],
 	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1"],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT4")), $manager="manager-1", $interface="eth0"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT5")), $manager="manager-1", $interface="eth1"],
 };
 @TEST-END-FILE
 
@@ -43,8 +41,6 @@ event zeek_init()
 	my_pool = Cluster::register_pool(my_pool_spec);
 	}
 
-global proxy_count = 0;
-
 event go_away()
 	{
 	terminate();
@@ -78,20 +74,14 @@ function print_stuff(heading: string)
 		}
 	}
 
-event Cluster::node_up(name: string, id: string)
+event Cluster::Experimental::cluster_started()
 	{
 	if ( Cluster::node != "manager-1" )
 		return;
 
-	if ( name == "proxy-1" || name == "proxy-2" )
-		++proxy_count;
-
-	if ( proxy_count == 2 )	
-		{
-		print_stuff("1st stuff");
-		local e = Broker::make_event(go_away);
-		Broker::publish(Cluster::node_topic("proxy-1"), e);
-		}
+	print_stuff("1st stuff");
+	local e = Broker::make_event(go_away);
+	Broker::publish(Cluster::node_topic("proxy-1"), e);
 	}
 
 event Cluster::node_down(name: string, id: string)
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek
index 26127dc1e2..63081e2756 100644
--- a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek
@@ -10,15 +10,13 @@
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: btest-diff manager-1/.stdout
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
 	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
 	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"],
 	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1"],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT4")), $manager="manager-1", $interface="eth0"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT5")), $manager="manager-1", $interface="eth1"],
 };
 @TEST-END-FILE
 
@@ -43,8 +41,6 @@ event zeek_init()
 	my_pool = Cluster::register_pool(my_pool_spec);
 	}
 
-global proxy_count = 0;
-
 event go_away()
 	{
 	terminate();
@@ -78,20 +74,14 @@ function print_stuff(heading: string)
 		}
 	}
 
-event Cluster::node_up(name: string, id: string)
+event Cluster::Experimental::cluster_started()
 	{
 	if ( Cluster::node != "manager-1" )
 		return;
 
-	if ( name == "proxy-1" || name == "proxy-2" )
-		++proxy_count;
-
-	if ( proxy_count == 2 )	
-		{
-		print_stuff("1st stuff");
-		local e = Broker::make_event(go_away);
-		Broker::publish(Cluster::node_topic("proxy-1"), e);
-		}
+	print_stuff("1st stuff");
+	local e = Broker::make_event(go_away);
+	Broker::publish(Cluster::node_topic("proxy-1"), e);
 	}
 
 event Cluster::node_down(name: string, id: string)
diff --git a/testing/btest/scripts/base/frameworks/cluster/forwarding.zeek b/testing/btest/scripts/base/frameworks/cluster/forwarding.zeek
index bc696123a5..81e1e7c087 100644
--- a/testing/btest/scripts/base/frameworks/cluster/forwarding.zeek
+++ b/testing/btest/scripts/base/frameworks/cluster/forwarding.zeek
@@ -1,39 +1,25 @@
 # @TEST-PORT: BROKER_PORT1
 # @TEST-PORT: BROKER_PORT2
 # @TEST-PORT: BROKER_PORT3
-# @TEST-PORT: BROKER_PORT4
-# @TEST-PORT: BROKER_PORT5
 #
-# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
-# @TEST-EXEC: btest-bg-run proxy-1   ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
-# @TEST-EXEC: btest-bg-run proxy-2   ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
+# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -B broker -b %INPUT
 # @TEST-EXEC: btest-bg-run worker-1  ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
 # @TEST-EXEC: btest-bg-wait 45
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
-# @TEST-EXEC: btest-diff proxy-1/.stdout
-# @TEST-EXEC: btest-diff proxy-2/.stdout
+# @TEST-EXEC: btest-diff manager-1/.stdout
 # @TEST-EXEC: btest-diff worker-1/.stdout
 # @TEST-EXEC: btest-diff worker-2/.stdout
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
 	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
-	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"],
-	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1"],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT4")), $manager="manager-1", $interface="eth0"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT5")), $manager="manager-1", $interface="eth1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1", $interface="eth1"],
 };
 @TEST-END-FILE
 
-global fully_connected: event();
-
-global peer_count = 0;
-global peers_lost = 0;
-global fully_connected_nodes = 0;
-
 redef Broker::forward_messages = T;
 
 event forwarded_event()
@@ -46,33 +32,17 @@ event forwarded_event()
 	terminate();
 	}
 
-event ready()
+event Cluster::Experimental::cluster_started()
 	{
 	# note that the publishing node, worker-1, will not receive the forwarded
 	# event as Broker's forwarding prevents the message going back to the
 	# immediate sender.
-	Broker::publish("test_topic", forwarded_event);
-	}
-
-event fully_connected()
-	{
-	if ( ! is_remote_event() )
-		return;
-
-	print "Got fully_connected event";
-	fully_connected_nodes = fully_connected_nodes + 1;
-
-	if ( Cluster::node == "manager-1" )
-		{
-		if ( peer_count == 4 && fully_connected_nodes == 4 )
-			Broker::publish(Cluster::node_topic("worker-1"), ready);
-		}
+	if ( Cluster::node == "worker-1" )
+		Broker::publish("test_topic", forwarded_event);
 	}
 
 event zeek_init()
 	{
-	Broker::auto_publish(Cluster::manager_topic, fully_connected);
-
 	if ( Cluster::node == "manager-1" )
 		Broker::forward("test_topic");
 	if ( Cluster::node == "worker-1" )
@@ -81,33 +51,7 @@ event zeek_init()
 		Broker::subscribe("test_topic");
 	}
 
-event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
-	{
-	print "Connected to a peer";
-	peer_count = peer_count + 1;
-
-	if ( Cluster::node == "manager-1" )
-		{
-		if ( peer_count == 4 && fully_connected_nodes == 4 )
-			Broker::publish(Cluster::node_topic("worker-1"), ready);
-		}
-	else
-		{
-		if ( peer_count == 3 )
-			event fully_connected();
-		}
-	}
-
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	++peers_lost;
-
-	if ( Cluster::node == "manager-1" )
-		{
-		if ( peers_lost == 2 )
-			# Both workers terminated
-			terminate();
-		}
-	else
-		terminate();
+	terminate();
 	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/log_distribution.zeek b/testing/btest/scripts/base/frameworks/cluster/log_distribution.zeek
index 940707665e..abf2b5d5bf 100644
--- a/testing/btest/scripts/base/frameworks/cluster/log_distribution.zeek
+++ b/testing/btest/scripts/base/frameworks/cluster/log_distribution.zeek
@@ -14,7 +14,7 @@
 # @TEST-EXEC: btest-diff logger-1/test.log
 # @TEST-EXEC: btest-diff logger-10/test.log
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::manager_is_logger = F;
@@ -42,7 +42,6 @@ event zeek_init() &priority=5
 	Log::create_stream(Test::LOG, [$columns=Info, $path="test"]);
 	}
 
-global peer_count = 0;
 global c = 0;
 
 event go_away()
@@ -63,23 +62,17 @@ event do_count()
 		schedule 0.01sec { do_count() };
 	}
 
-event Cluster::node_up(name: string, id: string)
+event Cluster::Experimental::cluster_started()
 	{
-	print "node_up", name;
-	++peer_count;
+	if ( Cluster::node != "worker-1" )
+		return;
 
-	if ( Cluster::node == "worker-1" && peer_count == 3 )
-		{
-		Cluster::logger_pool$rr_key_seq["Cluster::rr_log_topic"] = 0;
-		schedule 0.25sec { do_count() };
-		}
+	Cluster::logger_pool$rr_key_seq["Cluster::rr_log_topic"] = 0;
+	schedule 0.25sec { do_count() };
 	}
 
 event Cluster::node_down(name: string, id: string)
 	{
-	print "node_down", name;
-	--peer_count;
-
 	if ( name == "worker-1" )
 		schedule 2sec { go_away() };
 	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution.zeek b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.zeek
index 6b7f70435f..39d83414c0 100644
--- a/testing/btest/scripts/base/frameworks/cluster/topic_distribution.zeek
+++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.zeek
@@ -10,20 +10,16 @@
 # @TEST-EXEC: btest-bg-wait 40
 # @TEST-EXEC: btest-diff manager-1/.stdout
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
 	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
 	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"],
 	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1"],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT4")), $manager="manager-1", $interface="eth0"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT5")), $manager="manager-1", $interface="eth1"],
 };
 @TEST-END-FILE
 
-global proxy_count = 0;
-
 event go_away()
 	{
 	terminate();
@@ -48,20 +44,14 @@ function print_stuff(heading: string)
 		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
 	}
 
-event Cluster::node_up(name: string, id: string)
+event Cluster::Experimental::cluster_started()
 	{
 	if ( Cluster::node != "manager-1" )
 		return;
 
-	if ( name == "proxy-1" || name == "proxy-2" )
-		++proxy_count;
-
-	if ( proxy_count == 2 )	
-		{
-		print_stuff("1st stuff");
-		local e = Broker::make_event(go_away);
-		Broker::publish(Cluster::node_topic("proxy-1"), e);
-		}
+	print_stuff("1st stuff");
+	local e = Broker::make_event(go_away);
+	Broker::publish(Cluster::node_topic("proxy-1"), e);
 	}
 
 event Cluster::node_down(name: string, id: string)
diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.zeek b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.zeek
index c75ca7c368..60511faa09 100644
--- a/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.zeek
+++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.zeek
@@ -12,19 +12,16 @@
 # @TEST-EXEC: btest-diff proxy-1/.stdout
 # @TEST-EXEC: btest-diff proxy-2/.stdout
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
 	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
 	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"],
 	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1"],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT4")), $manager="manager-1", $interface="eth0"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT5")), $manager="manager-1", $interface="eth1"],
 };
 @TEST-END-FILE
 
-global proxy_count = 0;
 global q = 0;
 
 event go_away()
@@ -59,20 +56,14 @@ function send_stuff(heading: string)
 										distributed_event_rr, v[i]);
 	}
 
-event Cluster::node_up(name: string, id: string)
+event Cluster::Experimental::cluster_started()
 	{
 	if ( Cluster::node != "manager-1" )
 		return;
 
-	if ( name == "proxy-1" || name == "proxy-2" )
-		++proxy_count;
-
-	if ( proxy_count == 2 )	
-		{
-		send_stuff("1st stuff");
-		local e = Broker::make_event(go_away);
-		Broker::publish(Cluster::node_topic("proxy-1"), e);
-		}
+	send_stuff("1st stuff");
+	local e = Broker::make_event(go_away);
+	Broker::publish(Cluster::node_topic("proxy-1"), e);
 	}
 
 event Cluster::node_down(name: string, id: string)
diff --git a/testing/btest/scripts/base/frameworks/config/basic_cluster.zeek b/testing/btest/scripts/base/frameworks/config/basic_cluster.zeek
index accbff83c2..df0b081c06 100644
--- a/testing/btest/scripts/base/frameworks/config/basic_cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/config/basic_cluster.zeek
@@ -12,7 +12,7 @@
 # @TEST-EXEC: btest-diff manager-1/config.log
 
 @load base/frameworks/config
-
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
@@ -44,7 +44,7 @@ event zeek_init()
 	}
 
 @if ( Cluster::node == "worker-1" )
-event ready_for_data()
+event Cluster::Experimental::cluster_started()
 	{
 	Config::set_value("testport", 44/tcp);
 	Config::set_value("teststring", "b", "comment");
@@ -68,15 +68,3 @@ event zeek_init() &priority=5
 	Option::set_change_handler("testport", option_changed, -100);
 	Option::set_change_handler("teststring", option_changed, -100);
 	}
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
-global peer_count = 0;
-event Cluster::node_up(name: string, id: string)
-	{
-	++peer_count;
-	if ( peer_count == 2 )
-		event ready_for_data();
-	}
-
-@endif
diff --git a/testing/btest/scripts/base/frameworks/input/from_json.zeek b/testing/btest/scripts/base/frameworks/input/from_json.zeek
new file mode 100644
index 0000000000..547738ad29
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/from_json.zeek
@@ -0,0 +1,71 @@
+# @TEST-DOC: Reading a jsonl file using the raw input reader and parsing via from_json()
+# @TEST-EXEC: zeek -b %INPUT >out
+# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out
+
+@TEST-START-FILE denylist.jsonl
+{"ip": "192.168.0.1", "source": "local", "timestamp": "1990-09-22T12:13:14"}
+{"ip": "192.168.0.1", "source": "local", "timestamp": "1990-09-23T13:14:15"}
+{"ip": "192.168.0.2", "source": "local"}
+{"source": "local"}
+{... ]
+{"ip": "8.8.4.4", "source": "remote"}
+@TEST-END-FILE
+
+redef exit_only_after_terminate = T;
+
+module A;
+
+type Line: record {
+	l: string;
+};
+
+type Deny: record {
+	ip: addr;
+	source: string;
+	timestamp: string &optional;
+	timestamp_parsed: time &optional;
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, line: string)
+	{
+	local r = from_json(line, Deny);
+	if ( r$valid )
+		{
+		local deny = r$v as Deny;
+		if ( deny?$timestamp )
+			deny$timestamp_parsed = strptime("%Y-%m-%dT%H:%M:%S", deny$timestamp);
+
+		print fmt("Valid: %s (%s)", deny, line);
+		}
+	else
+		print fmt("Invalid: '%s'", line);
+	}
+
+event die()
+	{
+	if ( zeek_is_terminating() )
+		return;
+
+	print "error: test timeout";
+	exit(1);
+	}
+
+event zeek_init()
+	{
+	Input::add_event([
+		$source="denylist.jsonl",
+		$name="denylist",
+		$reader=Input::READER_RAW,
+		$fields=Line,
+		$ev=line,
+		$want_record=F
+	]);
+
+	schedule 5sec { die() };
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	Input::remove("deny");
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/raw/rereadraw.zeek b/testing/btest/scripts/base/frameworks/input/raw/rereadraw.zeek
index f187187f68..138c83d299 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/rereadraw.zeek
+++ b/testing/btest/scripts/base/frameworks/input/raw/rereadraw.zeek
@@ -13,10 +13,16 @@ sdf
 3rw43wRRERLlL#RWERERERE.
 @TEST-END-FILE
 
+@TEST-START-FILE input2.log
+Beginning of input2.log
+3rw43wRRERLlL#RWERERERE.
+game over
+@TEST-END-FILE
+
+redef Threading::heartbeat_interval = 100msec;
 redef exit_only_after_terminate = T;
 
 global outfile: file;
-global try: count;
 
 module A;
 
@@ -24,13 +30,27 @@ type Val: record {
 	s: string;
 };
 
-event line(description: Input::EventDescription, tpe: Input::Event, s: string)
+global end_of_datas = 0;
+
+event Input::end_of_data(name: string, source: string)
 	{
-	print outfile, description;
-	print outfile, tpe;
-	print outfile, s;
-	try = try + 1;
-	if ( try == 16 )
+	++end_of_datas;
+	if ( end_of_datas > 1 )
+		return;
+
+	print outfile, "end_of_data, updating input.log";
+	# This should be recognized by the raw reader as file update (inode change)
+	# and the new file is reread.
+	system("mv ../input2.log ../input.log");
+	}
+
+global lines = 0;
+
+event A::line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	++lines;
+	print outfile, lines, tpe, s, |s|;
+	if ( s == "game over" )
 		{
 		Input::remove("input");
 		close(outfile);
@@ -40,8 +60,6 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 
 event zeek_init()
 	{
-	try = 0;
 	outfile = open("../out");
-	Input::add_event([$source="../input.log", $reader=Input::READER_RAW, $mode=Input::REREAD, $name="input", $fields=Val, $ev=line, $want_record=F]);
-	Input::force_update("input");
+	Input::add_event([$source="../input.log", $reader=Input::READER_RAW, $mode=Input::REREAD, $name="input", $fields=Val, $ev=A::line, $want_record=F]);
 	}
diff --git a/testing/btest/scripts/base/frameworks/input/raw/rereadraw2.zeek b/testing/btest/scripts/base/frameworks/input/raw/rereadraw2.zeek
new file mode 100644
index 0000000000..c996166d94
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/raw/rereadraw2.zeek
@@ -0,0 +1,64 @@
+# @TEST-DOC: The raw reader would read a file in MODE_REREAD twice initially. Check this is fixed by running with reduced heartbeat_interval and waiting for 20 intervals after the first end_of_data event.
+#
+# @TEST-EXEC: zeek -b %INPUT > out
+# @TEST-EXEC: btest-diff out
+
+@TEST-START-FILE input.log
+First
+Second
+Third
+
+Fourth
+@TEST-END-FILE
+
+@load base/frameworks/input
+
+# By default the heartbeat timer is 1sec. To avoid running this test for
+# multiple seconds, tune it down 100x. 10msec is still pretty long.
+redef Threading::heartbeat_interval = 10msec;
+redef exit_only_after_terminate = T;
+
+module A;
+
+type Val: record {
+	s: string;
+};
+
+event do_terminate()
+	{
+	if ( zeek_is_terminating() )
+		return;
+
+	print "terminate";
+	terminate();
+	}
+
+event Input::end_of_data(name: string, source: string)
+	{
+	print "end_of_data", name, source;
+	schedule 20 * Threading::heartbeat_interval { do_terminate() };
+	}
+
+global lines = 0;
+
+event A::line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	++lines;
+	print "A::line", lines, s, |s|;
+	}
+
+event zeek_init()
+	{
+	# In case something goes wrong.
+	schedule 10sec { do_terminate() };
+
+	Input::add_event([
+		$source="./input.log",
+		$reader=Input::READER_RAW,
+		$mode=Input::REREAD,
+		$name="input",
+		$fields=Val,
+		$ev=A::line,
+		$want_record=F,
+	]);
+	}
diff --git a/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.zeek b/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.zeek
index 108663bc77..7980ca47d4 100644
--- a/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.zeek
+++ b/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.zeek
@@ -26,7 +26,7 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 @load base/frameworks/intel
 
 module Intel;
@@ -41,33 +41,12 @@ redef Intel::send_store_on_node_up = F;
 
 global log_writes = 0;
 global worker_data = 0;
-global proxy_ready = F;
 global sent_data = F;
 
-event Cluster::node_up(name: string, id: string)
+event Cluster::Experimental::cluster_started()
 	{
-	if ( Cluster::local_node_type() == Cluster::PROXY &&
-		 Cluster::get_active_node_count(Cluster::WORKER) == 2 )
-		{
-		# Make the proxy tell the manager explicitly when both workers
-		# have checked in. The cluster framework normally generates this
-		# event with the Broker ID as second argument. We borrow the
-		# event to signal readiness, using recognizable arguments.
-		Broker::publish(Cluster::manager_topic, Cluster::node_up, Cluster::node, Cluster::node);
-		return;
-		}
-
 	if ( Cluster::local_node_type() == Cluster::MANAGER )
-		{
-		if ( name == "proxy-1" && id == "proxy-1" )
-			proxy_ready = T;
-
-		# Insert data once both workers and the proxy are connected, and
-		# the proxy has indicated that it too has both workers connected.
-		if ( Cluster::get_active_node_count(Cluster::WORKER) == 2 &&
-			 Cluster::proxy_pool$alive_count == 1 && proxy_ready )
-			Intel::insert([$indicator="1.2.3.4", $indicator_type=Intel::ADDR, $meta=[$source="manager"]]);
-		}
+		Intel::insert([$indicator="1.2.3.4", $indicator_type=Intel::ADDR, $meta=[$source="manager"]]);
 	}
 
 # Watch for new indicators sent to workers.
diff --git a/testing/btest/scripts/base/frameworks/intel/cluster-transparency.zeek b/testing/btest/scripts/base/frameworks/intel/cluster-transparency.zeek
index 38f7cb75ae..2fd2529431 100644
--- a/testing/btest/scripts/base/frameworks/intel/cluster-transparency.zeek
+++ b/testing/btest/scripts/base/frameworks/intel/cluster-transparency.zeek
@@ -22,21 +22,18 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 @load base/frameworks/intel
 
 module Intel;
 
 redef Log::default_rotation_interval=0sec;
 
-event Cluster::node_up(name: string, id: string)
+event Cluster::Experimental::cluster_started()
 	{
 	# Insert the data once both workers are connected.
-	if ( Cluster::local_node_type() == Cluster::MANAGER &&
-		 Cluster::get_active_node_count(Cluster::WORKER) == 2 )
-		{
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
 		Intel::insert([$indicator="1.2.3.4", $indicator_type=Intel::ADDR, $meta=[$source="manager"]]);
-		}
 	}
 
 global log_writes = 0;
diff --git a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.zeek b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.zeek
index 3965214db4..833214f502 100644
--- a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.zeek
@@ -28,6 +28,7 @@ e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distribut
 
 @load base/frameworks/control
 @load base/frameworks/intel
+@load policy/frameworks/cluster/experimental
 redef Log::default_rotation_interval=0sec;
 
 module Intel;
@@ -55,31 +56,16 @@ event do_it()
 		Broker::publish(Cluster::node_topic("manager-1"), do_it);
 	}
 
-global hi_count = 0;
-
 event start_it()
 	{
 	Broker::publish(Cluster::node_topic("worker-1"), do_it);
 	}
 
-event hi()
+event Cluster::Experimental::cluster_started()
 	{
 	if ( Cluster::node == "manager-1" )
-		{
-		++hi_count;
-
-		if ( hi_count == 2 )
-			# Give more time for intel distribution.
-			schedule 1sec { start_it() };
-		}
-	else
-		Broker::publish(Cluster::node_topic("manager-1"), hi);
-	}
-
-event Cluster::node_up(name: string, id: string) &priority=-100
-	{
-	if ( Cluster::node == "manager-1" )
-		Broker::publish(Cluster::node_topic(name), hi);
+		# Give more time for intel distribution.
+		schedule 1sec { start_it() };
 	}
 
 event do_terminate()
diff --git a/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek b/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek
index 2be763ef7d..6ec58eefe6 100644
--- a/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek
@@ -9,7 +9,7 @@
 # @TEST-EXEC: btest-diff manager-1/intel.log
 
 @load base/frameworks/intel
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 # @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
@@ -41,8 +41,11 @@ event test_manager()
 	Broker::publish(Cluster::worker_topic, test_worker);
 	}
 
-event ready()
+event Cluster::Experimental::cluster_started()
 	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
 	# Insert the data once all workers are connected.
 	Intel::insert([$indicator="192.168.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
 	Intel::insert([$indicator="192.168.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
@@ -54,12 +57,6 @@ event ready()
 	event test_manager();
 	}
 
-event Cluster::node_up(name: string, id: string)
-	{
-	if ( Cluster::node == "worker-1" )
-		Broker::publish(Cluster::manager_topic, ready);
-	}
-
 event Intel::remove_item(item: Item, purge_indicator: bool)
 	{
 	print fmt("Removing %s (source: %s).", item$indicator, item$meta$source);
diff --git a/testing/btest/scripts/base/frameworks/logging/rotate-pp-env.zeek b/testing/btest/scripts/base/frameworks/logging/rotate-pp-env.zeek
new file mode 100644
index 0000000000..15296542f8
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/rotate-pp-env.zeek
@@ -0,0 +1,32 @@
+# @TEST-DOC: Using a custom environment for the postprocessor command.
+# @TEST-EXEC: ZEEK_ARG_EXTERNAL=external zeek -b -r ${TRACES}/rotation.trace %INPUT >out 2>&1
+# @TEST-EXEC: btest-diff out
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id;
+	} &log;
+}
+
+redef Log::default_rotation_interval = 1hr;
+redef Log::default_rotation_postprocessor_cmd = "env | grep ZEEK_ARG | sort; true ";
+
+redef Log::default_rotation_postprocessor_cmd_env += {
+	["REDEF"] = "redef",
+};
+
+event zeek_init()
+	{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+	Log::default_rotation_postprocessor_cmd_env["INIT"] = "zeek_init";
+	}
+
+event new_connection(c: connection)
+	{
+	Log::write(Test::LOG, [$t=network_time(), $id=c$id]);
+	}
diff --git a/testing/btest/scripts/base/frameworks/notice/cluster.zeek b/testing/btest/scripts/base/frameworks/notice/cluster.zeek
index ee7bb55273..e6b2d5e0b2 100644
--- a/testing/btest/scripts/base/frameworks/notice/cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/notice/cluster.zeek
@@ -8,7 +8,7 @@
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff manager-1/notice.log
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 @load base/frameworks/notice
 
 @TEST-START-FILE cluster-layout.zeek
@@ -25,11 +25,6 @@ redef enum Notice::Type += {
 	Test_Notice,
 };
 
-event Cluster::node_down(name: string, id: string)
-	{
-	terminate();
-	}
-
 event delayed_notice()
 	{
 	if ( Cluster::node == "worker-1" )
@@ -41,27 +36,16 @@ event terminate_me()
 	terminate();
 	}
 
-event ready()
+event Cluster::Experimental::cluster_started()
 	{
+	if ( Cluster::node != "worker-1" )
+		return;
+
 	schedule 1secs { delayed_notice() };
 	schedule 2secs { terminate_me() };
 	}
 
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
-global peer_count = 0;
-
-event Cluster::node_up(name: string, id: string)
-	{
-	peer_count = peer_count + 1;
-
-	if ( peer_count == 2 )
-		Broker::publish(Cluster::worker_topic, ready);
-	}
-
 event Cluster::node_down(name: string, id: string)
 	{
 	terminate();
 	}
-
-@endif
diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.zeek b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.zeek
index 68a44e3ea2..68d4407e74 100644
--- a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.zeek
@@ -11,7 +11,7 @@
 # @TEST-EXEC: btest-diff manager-1/notice.log
 
 @load base/frameworks/notice
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
@@ -63,14 +63,9 @@ event Notice::begin_suppression(ts: time, suppress_for: interval, note: Notice::
 
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
-global peer_count = 0;
-
-event Cluster::node_up(name: string, id: string)
+event Cluster::Experimental::cluster_started()
 	{
-	peer_count = peer_count + 1;
-
-	if ( peer_count == 3 )
-		Broker::publish(Cluster::node_topic("worker-2"), do_notice);
+	Broker::publish(Cluster::node_topic("worker-2"), do_notice);
 	}
 
 global proceed_count = 0;
diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.zeek b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.zeek
index c486149260..bfc4800f5e 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.zeek
@@ -10,7 +10,7 @@
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
 
 @load base/frameworks/sumstats
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
@@ -49,9 +49,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	terminate();
 	}
 
-global ready_for_data: event();
-
-event ready_for_data()
+event Cluster::Experimental::cluster_started()
 	{
 	if ( Cluster::node == "worker-1" )
 		{
@@ -76,22 +74,3 @@ event ready_for_data()
 
 	did_data = T;
 	}
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
-event zeek_init() &priority=100
-	{
-	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
-	}
-
-global peer_count = 0;
-
-event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
-	{
-	++peer_count;
-
-	if ( peer_count == 2 )
-		event ready_for_data();
-	}
-
-@endif
diff --git a/testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek b/testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek
index ae7e704efe..8732b2aea9 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek
@@ -10,7 +10,7 @@
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
 
 @load base/frameworks/sumstats
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
@@ -95,7 +95,7 @@ event send_ready_for_data()
 	}
 
 
-event cont_test()
+event Cluster::Experimental::cluster_started()
 	{
 	print "Performing first epoch, no observations";
 	local ret = SumStats::next_epoch("test");
@@ -110,14 +110,4 @@ event zeek_init() &priority=100
 	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
 	}
 
-global peer_count = 0;
-
-event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
-	{
-	++peer_count;
-
-	if ( peer_count == 2 )
-		event cont_test();
-	}
-
 @endif
diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.zeek b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.zeek
index 975d4faf8c..0b4b766745 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.zeek
@@ -10,7 +10,7 @@
 # @TEST-EXEC: btest-diff manager-1/.stdout
 #
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 @load base/frameworks/sumstats
 
 @TEST-START-FILE cluster-layout.zeek
@@ -38,8 +38,6 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	terminate();
 	}
 
-global ready_for_data: event();
-
 event on_demand()
 	{
 	local host = 7.2.1.5;
@@ -63,7 +61,7 @@ event ready_to_demand()
 		event on_demand();
 	}
 
-event ready_for_data()
+event Cluster::Experimental::cluster_started()
 	{
 	if ( Cluster::node == "worker-1" )
 		{
@@ -82,15 +80,3 @@ event ready_for_data()
 
 	Broker::publish(Cluster::manager_topic, ready_to_demand);
 	}
-
-global peer_count = 0;
-event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
-	{
-	if ( Cluster::node != "manager-1" )
-		return;
-
-	++peer_count;
-	if ( peer_count == 2 )
-		Broker::publish(Cluster::worker_topic, ready_for_data);
-	}
-
diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek
index ec1524e7a5..bc5df085e1 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek
@@ -10,7 +10,7 @@
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
 
 @load base/frameworks/sumstats
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
 redef Cluster::nodes = {
@@ -52,15 +52,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	terminate();
 	}
 
-global ready_for_data: event();
-
-event zeek_init()
-	{
-	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
-
-	}
-
-event ready_for_data()
+event Cluster::Experimental::cluster_started()
 	{
 	if ( Cluster::node == "worker-1" )
 		{
@@ -112,15 +104,3 @@ event ready_for_data()
 
 	did_data = T;
 	}
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
-global peer_count = 0;
-event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
-	{
-	++peer_count;
-	if ( peer_count == 2 )
-		event ready_for_data();
-	}
-
-@endif
diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.zeek b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.zeek
index 2fb675d514..f4551f9df8 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.zeek
@@ -18,7 +18,7 @@ redef Cluster::nodes = {
 @TEST-END-FILE
 
 @load base/frameworks/sumstats
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 redef Log::default_rotation_interval = 0secs;
 
@@ -57,14 +57,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	terminate();
 	}
 
-global ready_for_data: event();
-
-event zeek_init()
-	{
-	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
-	}
-
-event ready_for_data()
+event Cluster::Experimental::cluster_started()
 	{
 	const loop_v: vector of count = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100};
 
@@ -105,16 +98,3 @@ event ready_for_data()
 
 	did_data = T;
 	}
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
-global peer_count = 0;
-event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
-	{
-	++peer_count;
-	if ( peer_count == 2 )
-		event ready_for_data();
-	}
-
-@endif
-
diff --git a/testing/btest/scripts/base/frameworks/telemetry/cluster.zeek b/testing/btest/scripts/base/frameworks/telemetry/cluster.zeek
index df9ae29b32..56ea828b36 100644
--- a/testing/btest/scripts/base/frameworks/telemetry/cluster.zeek
+++ b/testing/btest/scripts/base/frameworks/telemetry/cluster.zeek
@@ -19,7 +19,16 @@
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff manager-1/.stdout
 
-@load base/frameworks/cluster
+@TEST-START-FILE cluster-layout.zeek
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
+	["logger-1"] = [$node_type=Cluster::LOGGER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"],
+	["proxy-1"] = [$node_type=Cluster::PROXY,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT4")), $manager="manager-1", $interface="eth0"],
+};
+@TEST-END-FILE
+
+@load policy/frameworks/cluster/experimental
 @load base/frameworks/telemetry
 @load base/utils/active-http
 
@@ -57,8 +66,6 @@ event run_test()
 		}
 	}
 
-global node_count = 0;
-
 @if ( Cluster::node == "manager-1" )
 # Use a dynamic metrics port for testing to avoid colliding on 9911/tcp
 # when running tests in parallel.
@@ -70,14 +77,11 @@ event zeek_init()
 	print Cluster::node, "original Broker::metrics_port", orig_metrics_port;
 	}
 
-event Cluster::node_up(name: string, id: string)
+event Cluster::Experimental::cluster_started()
 	{
-	++node_count;
-	# Run the test after all nodes are up and metrics_export_interval
+	# Run the test once all nodes are up and metrics_export_interval
 	# has passed at least once.
-	if ( Cluster::node == "manager-1" )
-		if ( node_count == 3 )
-			schedule 2 * Broker::metrics_export_interval { run_test() };
+	schedule 2 * Broker::metrics_export_interval { run_test() };
 	}
 @endif
 
@@ -87,12 +91,3 @@ event Cluster::node_down(name: string, id: string)
 	print fmt("node_down on %s", Cluster::node);
 	terminate();
 	}
-
-@TEST-START-FILE cluster-layout.zeek
-redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
-	["logger-1"] = [$node_type=Cluster::LOGGER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"],
-	["proxy-1"] = [$node_type=Cluster::PROXY,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1"],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT4")), $manager="manager-1", $interface="eth0"],
-};
-@TEST-END-FILE
diff --git a/testing/btest/scripts/base/protocols/ntp/misordered-ntp.test b/testing/btest/scripts/base/protocols/ntp/misordered-ntp.test
new file mode 100644
index 0000000000..91d4bc50ae
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ntp/misordered-ntp.test
@@ -0,0 +1,12 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/ntp/misordered-ntp.pcap %INPUT
+# @TEST-EXEC: btest-diff ntp.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/conn
+@load base/protocols/ntp
+
+event ntp_message(c: connection, is_orig: bool, msg: NTP::Message)
+	{
+	print fmt("ntp_message %s -> %s:%d (%s)", c$id$orig_h, c$id$resp_h, c$id$resp_p, c$history);
+	}
diff --git a/testing/btest/scripts/base/protocols/smb/smb2-max-pending-messages.test b/testing/btest/scripts/base/protocols/smb/smb2-max-pending-messages.test
new file mode 100644
index 0000000000..e2558ec83d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb2-max-pending-messages.test
@@ -0,0 +1,18 @@
+# @TEST-DOC: Pcap contains 100 file transfers (read requests), force BPF filtering such that the responses aren't seen and we have state growth. Verify a low SMB::max_pending_messages triggers, logs a weird and that script-land message state is reset.
+# @TEST-EXEC: zeek -b -C -r $TRACES/smb/smb2_100_small_files.pcap -f 'src port not 445 or tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0' %INPUT >out
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/smb
+
+redef SMB::max_pending_messages = 20;
+
+event smb2_discarded_messages_state(c: connection, request: string) &priority=10
+	{
+	print "smb2_discarded_messages_state before", request, |c$smb_state$pending_cmds|;
+	}
+
+event smb2_discarded_messages_state(c: connection, request: string) &priority=-10
+	{
+	print "smb2_discarded_messages_state after", request, |c$smb_state$pending_cmds|;
+	}
diff --git a/testing/btest/scripts/base/protocols/snap/snap-arp.test b/testing/btest/scripts/base/protocols/snap/snap-arp.test
new file mode 100644
index 0000000000..ac903d7310
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/snap/snap-arp.test
@@ -0,0 +1,12 @@
+# @TEST-EXEC: zeek -b -r $TRACES/snap-arp.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/dtls-13.test b/testing/btest/scripts/base/protocols/ssl/dtls-13.test
new file mode 100644
index 0000000000..5fcb4d8b69
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/dtls-13.test
@@ -0,0 +1,30 @@
+# This tests a normal SSL connection and the log it outputs.
+
+# @TEST-EXEC: zeek -C -r $TRACES/tls/dtls13-wolfssl.pcap %INPUT
+# @TEST-EXEC: cp ssl.log ssl-all.log
+# @TEST-EXEC: echo "start CID test"
+# @TEST-EXEC: zeek -C -r $TRACES/tls/dtls13-cid.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff ssl-all.log
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: test ! -f dpd.log
+
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
+	{
+	print "CH", c$id, version, record_version;
+	}
+
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
+	{
+	print "SH", c$id, version, record_version;
+	}
+
+event ssl_extension_connection_id(c: connection, is_client: bool, cid: string)
+	{
+	print "CID", c$id, is_client, cid;
+	}
+
+event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
+	{
+	print "Encrypted", c$id, is_client, record_version, content_type, length;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test b/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test
new file mode 100644
index 0000000000..0d68f8495d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test
@@ -0,0 +1,5 @@
+# This tests that no error messages are output when a protocol violation occurs
+
+# @TEST-EXEC: zeek -C -r $TRACES/tls/tls1.2-protocol-violation.pcap %INPUT
+# @TEST-EXEC: test -f dpd.log
+# @TEST-EXEC: btest-diff .stderr
diff --git a/testing/btest/scripts/policy/frameworks/cluster/cluster_started.zeek b/testing/btest/scripts/policy/frameworks/cluster/cluster_started.zeek
index 57f2671ff5..0f91d89635 100644
--- a/testing/btest/scripts/policy/frameworks/cluster/cluster_started.zeek
+++ b/testing/btest/scripts/policy/frameworks/cluster/cluster_started.zeek
@@ -13,7 +13,6 @@
 # @TEST-EXEC: btest-bg-wait 40
 # @TEST-EXEC: btest-diff manager-1/.stdout
 
-@load base/frameworks/cluster
 @load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
diff --git a/testing/btest/scripts/policy/frameworks/cluster/cluster_started_logger.zeek b/testing/btest/scripts/policy/frameworks/cluster/cluster_started_logger.zeek
index 4781f3fe03..d18bf8a4a4 100644
--- a/testing/btest/scripts/policy/frameworks/cluster/cluster_started_logger.zeek
+++ b/testing/btest/scripts/policy/frameworks/cluster/cluster_started_logger.zeek
@@ -15,7 +15,6 @@
 # @TEST-EXEC: btest-bg-wait 40
 # @TEST-EXEC: btest-diff manager-1/.stdout
 
-@load base/frameworks/cluster
 @load policy/frameworks/cluster/experimental
 
 @TEST-START-FILE cluster-layout.zeek
diff --git a/testing/btest/scripts/policy/frameworks/cluster/cluster_started_restart_manager.zeek b/testing/btest/scripts/policy/frameworks/cluster/cluster_started_restart_manager.zeek
index 8e5f8a2f33..1000fa5cd7 100644
--- a/testing/btest/scripts/policy/frameworks/cluster/cluster_started_restart_manager.zeek
+++ b/testing/btest/scripts/policy/frameworks/cluster/cluster_started_restart_manager.zeek
@@ -11,7 +11,6 @@
 # @TEST-EXEC: btest-diff zeek/worker-1/stdout
 # @TEST-EXEC: btest-diff zeek/proxy-1/stdout
 
-@load base/frameworks/cluster
 @load policy/frameworks/cluster/experimental
 
 # So the supervised node doesn't terminate right away.
diff --git a/testing/btest/scripts/policy/frameworks/cluster/cluster_started_restart_worker.zeek b/testing/btest/scripts/policy/frameworks/cluster/cluster_started_restart_worker.zeek
index c36e136234..02a4e8d923 100644
--- a/testing/btest/scripts/policy/frameworks/cluster/cluster_started_restart_worker.zeek
+++ b/testing/btest/scripts/policy/frameworks/cluster/cluster_started_restart_worker.zeek
@@ -12,7 +12,6 @@
 # @TEST-EXEC: btest-diff zeek/worker-2/stdout
 # @TEST-EXEC: btest-diff zeek/proxy-1/stdout
 
-@load base/frameworks/cluster
 @load policy/frameworks/cluster/experimental
 
 # So the supervised node doesn't terminate right away.
diff --git a/testing/btest/scripts/policy/misc/weird-stats-cluster.zeek b/testing/btest/scripts/policy/misc/weird-stats-cluster.zeek
index 9b5926bc5a..b50fa720ca 100644
--- a/testing/btest/scripts/policy/misc/weird-stats-cluster.zeek
+++ b/testing/btest/scripts/policy/misc/weird-stats-cluster.zeek
@@ -18,7 +18,7 @@ redef Cluster::nodes = {
 @TEST-END-FILE
 
 @load misc/weird-stats
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 redef Cluster::retry_interval = 1sec;
 redef Broker::default_listen_retry = 1sec;
@@ -44,8 +44,11 @@ event ready_again()
 	schedule 5secs { terminate_me() };
 	}
 
-event ready_for_data()
+event Cluster::Experimental::cluster_started()
 	{
+	if ( Cluster::node == "manager-1" )
+		return;
+
 	local n = 0;
 
 	if ( Cluster::node == "worker-1" )
@@ -70,18 +73,3 @@ event ready_for_data()
 
 	schedule 5secs { ready_again() };
 	}
-
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
-global peer_count = 0;
-
-event Cluster::node_up(name: string, id: string)
-	{
-	++peer_count;
-
-	if ( peer_count == 2 )
-		Broker::publish(Cluster::worker_topic, ready_for_data);
-	}
-
-@endif
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek b/testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek
index 8d0c9ad873..1d486032c6 100644
--- a/testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek
@@ -11,6 +11,7 @@ redef SSL::ct_logs += {
 ["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = SSL::CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"),
 ["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = SSL::CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
 ["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = SSL::CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"),
+["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = SSL::CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="https://ct1.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"),
 };
 
 module SSL;
diff --git a/testing/btest/scripts/site/local-compat.test b/testing/btest/scripts/site/local-compat.test
index 299191c39e..3c8a9d7f0c 100644
--- a/testing/btest/scripts/site/local-compat.test
+++ b/testing/btest/scripts/site/local-compat.test
@@ -15,7 +15,7 @@
 # # simply update this test's TEST-START-FILE with the latest contents
 # site/local.zeek.
 
-@TEST-START-FILE local-6.0.zeek
+@TEST-START-FILE local-6.1.zeek
 ##! Local site policy. Customize as appropriate.
 ##!
 ##! This file will not be overwritten when upgrading or reinstalling!
diff --git a/testing/btest/spicy/analyzer-tag.zeek b/testing/btest/spicy/analyzer-tag.zeek
new file mode 100644
index 0000000000..5e3b71a21d
--- /dev/null
+++ b/testing/btest/spicy/analyzer-tag.zeek
@@ -0,0 +1,33 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o ssh.hlto ssh.spicy ./ssh.evt
+# @TEST-EXEC: zeek -b Zeek::Spicy ssh.hlto %INPUT >>output
+# @TEST-EXEC: echo >>output
+# @TEST-EXEC: zeek -b Zeek::Spicy %INPUT >>output
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Check that we can access ANALYZER_* tags during Zeek-side script parse time.
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+public type Banner = unit {};
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh.evt
+protocol analyzer spicy::SSH over TCP:
+    parse with SSH::Banner;
+# @TEST-END-FILE
+
+@ifdef ( Analyzer::ANALYZER_SPICY_SSH )
+event zeek_init()
+    {
+    print "Have analyzer!";
+    print fmt("tag: %s", Analyzer::get_tag("spicy_SSH"));
+    print fmt("name: %s", Analyzer::name(Analyzer::ANALYZER_SPICY_SSH));
+    }
+@else
+event zeek_init()
+    {
+    print "Do not have analyzer!";
+    }
+@endif
diff --git a/testing/btest/spicy/availability.zeek b/testing/btest/spicy/availability.zeek
new file mode 100644
index 0000000000..1aaa9d6f37
--- /dev/null
+++ b/testing/btest/spicy/availability.zeek
@@ -0,0 +1,15 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: zeek %INPUT | grep -q yes
+# @TEST-EXEC: zeek -b Zeek::Spicy %INPUT | grep -q yes
+# @TEST-EXEC: if zeek -N Zeek::Spicy | grep -q built-in; then zeek -b %INPUT | grep -q yes; else  zeek -b %INPUT | grep -q no; fi
+#
+# @TEST-DOC: Confirms `Zeek::available` signals correctly whether the Spicy plugin is loaded and active.
+#
+# Note that bare mode, by default, doesn't activate the plugin.
+
+@ifdef ( Spicy::available )
+    print "yes";
+@else
+    print "no";
+@endif
diff --git a/testing/btest/spicy/conn-id.spicy b/testing/btest/spicy/conn-id.spicy
new file mode 100644
index 0000000000..e843815984
--- /dev/null
+++ b/testing/btest/spicy/conn-id.spicy
@@ -0,0 +1,21 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto %INPUT test.evt
+# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy test.hlto Spicy::enable_print=T >>output
+# @TEST-EXEC: zeek -b -r ${TRACES}/ftp/ipv6.trace Zeek::Spicy test.hlto Spicy::enable_print=T >>output
+# @TEST-EXEC: btest-diff output
+
+module Test;
+
+import zeek;
+
+public type Foo = unit {
+    on %init { print zeek::conn_id(); }
+    x : /./;
+};
+
+# @TEST-START-FILE test.evt
+protocol analyzer spicy::Test over TCP:
+    port 21/tcp-22/tcp,
+    parse originator with Test::Foo;
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/context.spicy b/testing/btest/spicy/context.spicy
new file mode 100644
index 0000000000..b0f5705a34
--- /dev/null
+++ b/testing/btest/spicy/context.spicy
@@ -0,0 +1,50 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o x.hlto %INPUT ./ssh.evt
+# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy x.hlto Spicy::enable_print=T >output
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Check that the Zeek plugin passes a (and the same) %context object to both sides of a connection.
+
+module SSH;
+
+type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+};
+
+type Context = tuple<orig_version: bytes, resp_version: bytes>;
+
+function print_if_we_have_seen_both_sides(ctx: Context&) {
+    if ( |ctx.orig_version| && |ctx.resp_version| )
+        print ctx;
+}
+
+public type Originator = unit {
+    %context = Context;
+
+    banner: Banner {
+        self.context().orig_version += self.banner.version;
+    }
+    on %done { print_if_we_have_seen_both_sides(self.context()); }
+};
+
+public type Responder = unit {
+    %context = Context;
+
+    banner: Banner {
+        self.context().resp_version += self.banner.version;
+    }
+
+    on %done { print_if_we_have_seen_both_sides(self.context()); }
+};
+
+
+# @TEST-START-FILE ssh.evt
+protocol analyzer spicy::SSH over TCP:
+    port 22/tcp,
+    parse originator with SSH::Originator,
+    parse responder with SSH::Responder;
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/double-event.zeek b/testing/btest/spicy/double-event.zeek
new file mode 100644
index 0000000000..3345f760e2
--- /dev/null
+++ b/testing/btest/spicy/double-event.zeek
@@ -0,0 +1,33 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh-cond.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT | sort >output
+# @TEST-EXEC: btest-diff output
+
+event ssh::banner(i: int, software: string)
+	{
+	print i, software;
+	}
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh-cond.evt
+
+protocol analyzer spicy::SSH over TCP:
+    parse with SSH::Banner,
+    port 22/tcp,
+    replaces SSH;
+
+on SSH::Banner -> event ssh::banner(1, self.software);
+on SSH::Banner -> event ssh::banner(2, self.software);
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/double-type-registration.zeek b/testing/btest/spicy/double-type-registration.zeek
new file mode 100644
index 0000000000..a1505b3b6d
--- /dev/null
+++ b/testing/btest/spicy/double-type-registration.zeek
@@ -0,0 +1,34 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -L . -d -o a.hlto a.spicy
+# @TEST-EXEC: spicyz -L . -d -o b.hlto b.spicy
+# @TEST-EXEC: zeek a.hlto b.hlto
+#
+# @TEST-EXEC: spicyz -d -o a.hlto a.spicy common.spicy
+# @TEST-EXEC: spicyz -d -o b.hlto b.spicy common.spicy
+# @TEST-EXEC: zeek a.hlto b.hlto
+#
+# @TEST-DOC: Regression test for #177.
+
+# @TEST-START-FILE common.spicy
+module common;
+
+public type E = enum {
+	X,
+	Y,
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE a.spicy
+module a;
+
+import common;
+global x: common::E;
+# @TEST-END-FILE
+
+# @TEST-START-FILE b.spicy
+module b;
+
+import common;
+global x: common::E;
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/double-types.zeek b/testing/btest/spicy/double-types.zeek
new file mode 100644
index 0000000000..082012d5ef
--- /dev/null
+++ b/testing/btest/spicy/double-types.zeek
@@ -0,0 +1,63 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto dtest.spicy ./dtest.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT | sort >output
+# @TEST-EXEC: btest-diff output
+
+event dtest_message(x: dtest::FUNCS) {
+    print "dtest_message", x;
+}
+
+event dtest_result(y: dtest::RESULT) {
+    print "dtest_result", y;
+}
+
+type R: record {
+    x: dtest::FUNCS;
+    y: dtest::RESULT;
+};
+
+event dtest_result_tuple(r: R) {
+    print "dtest_result_tuple", r$x, r$y;
+}
+
+# @TEST-START-FILE dtest.evt
+
+protocol analyzer spicy::dtest over TCP:
+    parse originator with dtest::Message,
+    port 22/tcp;
+
+on dtest::Message -> event dtest_message(self.func);
+
+on dtest::Message -> event dtest_result(self.sub.result);
+
+on dtest::Message -> event dtest_result_tuple(dtest::bro_result(self));
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE dtest.spicy
+
+module dtest;
+
+public type FUNCS = enum {
+ A=0, B=1, C=2, D=3, E=4, F=5, YES=83
+};
+
+public type RESULT = enum {
+ A, B, C, D, E, F, YES_AGAIN=83
+};
+
+public type Message = unit {
+  func: uint8 &convert=FUNCS($$);
+  sub: SubMessage;
+};
+
+public type SubMessage = unit {
+  result: uint8 &convert=RESULT($$);
+};
+
+public function bro_result(entry: Message) : tuple<FUNCS, RESULT>  {
+	return (entry.func, entry.sub.result);
+}
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/event-args-fail.evt b/testing/btest/spicy/event-args-fail.evt
new file mode 100644
index 0000000000..8cb0243d02
--- /dev/null
+++ b/testing/btest/spicy/event-args-fail.evt
@@ -0,0 +1,34 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC-FAIL: spicyz -d -o test.hlto %INPUT test.spicy >output 2>&1
+# @TEST-EXEC:      TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
+#
+# @TEST-DOC: In EVT, provide access to hooks arguments
+
+# @TEST-START-FILE test.spicy
+module SSH;
+public type Banner = unit {};
+# @TEST-END-FILE
+
+# Wrong/unknown. parameter type
+on SSH::Banner::%error(msg: bytes) -> event Banner::error(msg);
+
+# @TEST-START-NEXT
+# Wrong signature
+on SSH::Banner::%error(msg: string, foo: uint64) -> event Banner::error(msg);
+
+# @TEST-START-NEXT
+# Wrong signature
+on SSH::Banner::%error(msg: uint64) -> event Banner::error(msg);
+
+# @TEST-START-NEXT
+# Syntax error
+on SSH::Banner::%error(msg: string,) -> event Banner::error(msg);
+
+# @TEST-START-NEXT
+# Syntax error
+on SSH::Banner::%error(,msg: string) -> event Banner::error(msg);
+
+# @TEST-START-NEXT
+# Syntax error
+on SSH::Banner::%error(msg) -> event Banner::error(msg);
diff --git a/testing/btest/spicy/event-args-mismatch.zeek b/testing/btest/spicy/event-args-mismatch.zeek
new file mode 100644
index 0000000000..7eb330c122
--- /dev/null
+++ b/testing/btest/spicy/event-args-mismatch.zeek
@@ -0,0 +1,30 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto test.evt test.spicy
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
+#
+# @TEST-DOC: Test error reporting when an Zeek-side event parameter type does not match what Spicy sends.
+
+event Banner::error(i: count) { }
+
+# @TEST-START-FILE test.spicy
+module SSH;
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /KAPUTT/;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE test.evt
+
+protocol analyzer spicy::SSH over TCP:
+    parse originator with SSH::Banner,
+    port 22/tcp;
+
+on SSH::Banner::magic -> event Banner::error(self.magic); # Error: string -> count
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/event-args.zeek b/testing/btest/spicy/event-args.zeek
new file mode 100644
index 0000000000..32dfa2a960
--- /dev/null
+++ b/testing/btest/spicy/event-args.zeek
@@ -0,0 +1,33 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto test.evt test.spicy
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT >output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
+#
+# @TEST-DOC: In EVT, provide access to hooks arguments
+
+event Banner::error(msg: string) {
+    print fmt("Error message: %s", msg);
+}
+
+# @TEST-START-FILE test.spicy
+module SSH;
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /KAPUTT/;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE test.evt
+
+protocol analyzer spicy::SSH over TCP:
+    parse originator with SSH::Banner,
+    port 22/tcp;
+
+on SSH::Banner::%error(msg: string) -> event Banner::error(msg);
+on SSH::Banner::%error() -> event Banner::error("n/a");
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/event-cond.zeek b/testing/btest/spicy/event-cond.zeek
new file mode 100644
index 0000000000..23728f766f
--- /dev/null
+++ b/testing/btest/spicy/event-cond.zeek
@@ -0,0 +1,58 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh-cond.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT | sort  >output
+# @TEST-EXEC: btest-diff output
+
+event ssh::banner1(c: connection, is_orig: bool, version: string, software: string)
+	{
+	print "1", software;
+	}
+
+event ssh::banner2(c: connection, is_orig: bool, version: string, software: string)
+	{
+	print "2", software;
+	}
+
+event ssh::banner3(c: connection, is_orig: bool, version: string, software: string)
+	{
+	print "3", software;
+	}
+
+event ssh::banner4(c: connection, is_orig: bool, version: string, software: string)
+	{
+	print "4", software;
+	}
+
+event ssh::banner5(c: connection, is_orig: bool, version: string, software: string)
+	{
+	print "5", software;
+	}
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh-cond.evt
+
+import zeek;
+
+protocol analyzer spicy::SSH over TCP:
+    parse with SSH::Banner,
+    port 22/tcp,
+    replaces SSH;
+
+on SSH::Banner if ( True ) -> event ssh::banner1($conn, $is_orig, self.version, self.software);
+on SSH::Banner if ( False )-> event ssh::banner2($conn, $is_orig, self.version, self.software);
+on SSH::Banner if ( self.software == b"OpenSSH_3.9p1" )-> event ssh::banner3($conn, $is_orig, self.version, self.software);
+on SSH::Banner if ( self.software != b"OpenSSH_3.9p1" )-> event ssh::banner4($conn, $is_orig, self.version, self.software);
+on SSH::Banner if ( zeek::is_orig() ) -> event ssh::banner5($conn, $is_orig, self.version, self.software);
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/event-user-type b/testing/btest/spicy/event-user-type
new file mode 100644
index 0000000000..75f99b4042
--- /dev/null
+++ b/testing/btest/spicy/event-user-type
@@ -0,0 +1,43 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d foo.spicy foo.evt -o foo.hlto
+# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap foo.hlto foo.zeek >output 2>&1
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Validate that one can pass a user-specified type in an event handler. This is a regression test for #142, plus now a test for "export".
+
+# @TEST-START-FILE foo.spicy
+module foo;
+
+global n: uint64 = 0;
+
+public type X = unit { y: Y; };
+
+type Y = unit {
+    var n: uint64;
+    on %init {
+        n += 1;
+        self.n = n;
+    }
+    y: bytes &until=b"\x0a";
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE foo.evt
+protocol analyzer spicy::foo over UDP:
+    parse with foo::X,
+    ports { 12345/udp, 31337/udp };
+
+import foo;
+
+export foo::Y;
+
+on foo::X -> event foo::X($conn, $is_orig, self.y);
+# @TEST-END-FILE
+
+# @TEST-START-FILE foo.zeek
+event foo::X(c: connection, is_orig: bool, y: foo::Y)
+{
+	print fmt("is_orig=%d y=%s", is_orig, y);
+}
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/export-enum.zeek b/testing/btest/spicy/export-enum.zeek
new file mode 100644
index 0000000000..514cade8c9
--- /dev/null
+++ b/testing/btest/spicy/export-enum.zeek
@@ -0,0 +1,31 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o x.hlto tupleenum.spicy ./tupleenum.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace x.hlto %INPUT >>output
+# @TEST-EXEC: zeek -NN x.hlto | grep TestEnum >>output
+#
+# @TEST-EXEC: btest-diff output
+
+event zeek_init() {
+  local i: TupleEnum::TestEnum;
+
+  i = TupleEnum::TestEnum_A;
+  print i;
+
+  i = TupleEnum::TestEnum_Undef;
+  print i;
+}
+
+# @TEST-START-FILE tupleenum.evt
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE tupleenum.spicy
+
+module TupleEnum;
+
+public type TestEnum = enum {
+    A = 83, B = 84, C = 85
+};
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/export-type-e2e.zeek b/testing/btest/spicy/export-type-e2e.zeek
new file mode 100644
index 0000000000..ce9b402b1b
--- /dev/null
+++ b/testing/btest/spicy/export-type-e2e.zeek
@@ -0,0 +1,31 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -do export.hlto export.spicy export.evt
+# @TEST-EXEC: zeek -Cr $TRACES/http/pipelined-requests.trace export.hlto %INPUT >>output
+# @TEST-EXEC: test '!' -e reporter.log
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Test type export end-to-end, with access from the Zeek side. Regression test for #3083.
+
+# @TEST-START-FILE export.spicy
+module foo;
+
+public type X = unit {
+    x: uint8;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE export.evt
+import foo;
+
+protocol analyzer FOO over TCP:
+    parse with foo::X,
+    port 80/tcp;
+
+export foo::X;
+
+on foo::X -> event foo::hello(self);
+# @TEST-END-FILE
+
+event foo::hello(x: foo::X)
+	{ print x; }
diff --git a/testing/btest/spicy/export-type-fail.spicy b/testing/btest/spicy/export-type-fail.spicy
new file mode 100644
index 0000000000..5d3ec3a619
--- /dev/null
+++ b/testing/btest/spicy/export-type-fail.spicy
@@ -0,0 +1,35 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-DOC: Failure cases for `export`
+#
+# @TEST-EXEC-FAIL: spicyz -d foo.spicy foo.evt -o foo.hlto >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
+
+# @TEST-START-FILE foo.spicy
+module Test;
+
+type X = unit {
+    y: Y; # self-recursive
+};
+
+type Y = unit {
+    x: X;
+};
+
+type Z = unit {
+    var x: tuple<bytes, addr>; # names missing
+};
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE foo.evt
+
+export Test::X;
+export Test::Z;
+export Test::DOES_NOT_EXIST;
+export NOT_SCOPED;
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE foo.zeek
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/export-types.zeek b/testing/btest/spicy/export-types.zeek
new file mode 100644
index 0000000000..1297a5a7b1
--- /dev/null
+++ b/testing/btest/spicy/export-types.zeek
@@ -0,0 +1,103 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o export.hlto export.spicy export.evt >>output
+# @TEST-EXEC: zeek export.hlto %INPUT >>output
+#
+# Zeek 5.0 doesn't include the ID when printing the enum type
+# @TEST-EXEC: cat output | sed 's/enum Test::type_enum/enum/g' >output.tmp && mv output.tmp output
+#
+# Zeek 6.0 includes information on whether a record field is `&optional`.
+# @TEST-EXEC: cat output | sed 's/, optional=F//g' >output.tmp && mv output.tmp output
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Test the `export` keyword to automatically create corresponding Zeek types.
+
+module Test;
+
+global e: Test::type_enum = Test::type_enum_B;
+global u2: type_record_u2 = [$t=[$x="S", $y=T]];
+global u: Test::type_record_u = [$s="S", $b=T, $u2=u2];
+global s: XYZ::type_record_sss = [
+    $a=1.2.3.4,
+    $b="bytes",
+    $e=e,
+    $i=-10,
+    $iv=5secs,
+    $j=10,
+    $m=table([4.3.2.1] = "addr1", [4.3.2.2] = "addr2"),
+    $o="string",
+    $p=42/tcp,
+    $r=3.14,
+    $s=set(Test::type_enum_A, Test::type_enum_B),
+    $t=network_time(),
+    $u=u,
+    $v=vector("1", "2", "3")
+];
+
+event zeek_init() {
+    local all_globals: vector of string;
+    for ( id in global_ids() )
+	all_globals[|all_globals|] = id;
+
+    sort(all_globals, strcmp);
+
+    for ( i in all_globals ) {
+	id = all_globals[i];
+
+	if ( ! (/((Test|XYZ)::|type_record_u2)/ in id) )
+	    next;
+
+	if ( /type_record_/ in id )
+            print id, record_fields(id);
+	# else if ( /type_enum$/ in id )
+	#     print id, enum_names(id); # Not available in 5.0 yet
+	else
+	    print id;
+    }
+
+    print "---";
+    print s;
+}
+
+# @TEST-START-FILE export.spicy
+module Test;
+
+type type_enum = enum { A, B, C };
+
+type type_record_s = struct {
+    a: addr;
+    b: bytes;
+    e: type_enum;
+    i: int32;
+    iv: interval;
+    j: uint8;
+    m: map<addr, string>;
+    o: optional<string>;
+    p: port;
+    r: real;
+    s: set<type_enum>;
+    t: time;
+    u: type_record_u;
+    v: vector<string>;
+};
+
+type type_record_u = unit {
+    var s: string;
+    var b: bool;
+    var u2: type_record_u2;
+};
+
+type type_record_u2 = unit {
+    var t: tuple<x: string, y: bool>;
+};
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE export.evt
+
+export Test::type_enum;
+export Test::type_record_s as XYZ::type_record_sss;
+export Test::type_record_u;
+export Test::type_record_u2 as type_record_u2;
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/file-analysis-data-in-concurrent.zeek b/testing/btest/spicy/file-analysis-data-in-concurrent.zeek
new file mode 100644
index 0000000000..9ff70352c4
--- /dev/null
+++ b/testing/btest/spicy/file-analysis-data-in-concurrent.zeek
@@ -0,0 +1,60 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh-cond.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T >output
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+import spicy;
+import zeek;
+
+type Context = tuple<data_chunks: uint64>;
+
+public type Banner = unit {
+    %context = Context;
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+};
+
+public type Data = unit {
+    data: bytes &eod;
+    on %done { print self.data; }
+};
+
+on Banner::%done {
+    local fid1 = zeek::file_begin("foo/bar");
+    local fid2 = zeek::file_begin("foo/bar");
+    local fid3 = zeek::file_begin("foo/bar");
+    zeek::file_data_in(b"12", fid1);
+    zeek::file_data_in(b"!", fid3);
+    zeek::file_data_in(b"AAA", fid2);
+    zeek::file_data_in(b"@", fid3);
+    zeek::file_data_in(b"34", fid1);
+    zeek::file_data_in(b"#", fid3);
+    zeek::file_data_in(b"56", fid1);
+    zeek::file_data_in(b"BBB", fid2);
+    zeek::file_data_in(b"$"); # -> fid3
+    zeek::file_end(fid1);
+    zeek::file_data_in(b"CCC", fid2);
+    zeek::file_end(fid2);
+    zeek::file_end(fid3);
+}
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh-cond.evt
+
+import zeek;
+
+protocol analyzer spicy::SSH over TCP:
+    parse originator with SSH::Banner,
+    port 22/tcp,
+    replaces SSH;
+
+file analyzer spicy::Text:
+    parse with SSH::Data,
+    mime-type foo/bar;
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/file-analysis-data-in.zeek b/testing/btest/spicy/file-analysis-data-in.zeek
new file mode 100644
index 0000000000..d7289455d5
--- /dev/null
+++ b/testing/btest/spicy/file-analysis-data-in.zeek
@@ -0,0 +1,64 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh-cond.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T | sort  >output
+#
+# @TEST-EXEC: cat x509.log | grep -v ^# | cut -f 4-5 >x509.log.tmp && mv x509.log.tmp x509.log
+# @TEST-EXEC: btest-diff x509.log
+#
+# @TEST-EXEC: cat files.log | zeek-cut sha1 filename >files.log.tmp && mv files.log.tmp files.log
+# @TEST-EXEC: btest-diff files.log
+#
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+import spicy;
+import zeek;
+
+global file_counter = 0;
+
+public type Banner = unit {
+    magic   : /SSH-/ {
+	# This is a bit of cheating.
+	local d: spicy::Base64Stream;
+	local dec : bytes = spicy::base64_decode(d, b"MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEyMTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3QgU2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnvUA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRrmBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++AcxGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmKFsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7XrJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7HTgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoNFvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrzmqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wWIRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZUSpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==");
+	dec += spicy::base64_finish(d);
+
+	print self.file_id;
+	zeek::file_data_in(dec);
+    }
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+
+    var file_id: string = zeek::file_begin("application/x-x509-ca-cert");
+    var file_name: string = "foo-%d.txt" % ++file_counter;
+};
+
+on Banner::%done { zeek::file_end(self.file_id); }
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh-cond.evt
+
+import zeek;
+
+protocol analyzer spicy::SSH over TCP:
+    parse with SSH::Banner,
+    port 22/tcp,
+    replaces SSH;
+
+on SSH::Banner::software -> event have_filename($file, self.file_name);
+
+# @TEST-END-FILE
+
+# Trigger creation of `files.log`.
+@load base/protocols/ssl
+redef X509::log_x509_in_files_log = T;
+
+event have_filename(f: fa_file, filename: string)
+	{
+	f$info$filename = filename;
+	}
diff --git a/testing/btest/spicy/file-analyzer-nested.zeek b/testing/btest/spicy/file-analyzer-nested.zeek
new file mode 100644
index 0000000000..98dccbe7f0
--- /dev/null
+++ b/testing/btest/spicy/file-analyzer-nested.zeek
@@ -0,0 +1,87 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o text.hlto text.spicy ./text.evt
+# @TEST-EXEC: zeek -r ${TRACES}/http/post.trace text.hlto %INPUT Spicy::enable_print=T | sort -k 3 >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat files.log | zeek-cut source analyzers filename mime_type >files
+# @TEST-EXEC: btest-diff files
+#
+# Check that exceeding max-file-depth leads to aborting and an event.
+# @TEST-EXEC: zeek -t /tmp/zeek.trace -r ${TRACES}/http/post.trace text.hlto %INPUT Spicy::max_file_depth=2 | sort -k 3 >output-max
+# @TEST-EXEC: cat notice.log | zeek-cut note | grep -q "Spicy_Max_File_Depth_Exceeded"
+# @TEST-EXEC: btest-diff output-max
+
+event text::data1(f: fa_file, data: string)
+	{
+	print "data1", f$id, data;
+	}
+
+event text::data2(f: fa_file, data: string)
+	{
+	print "data2", f$id, data;
+	}
+
+event text::data3(f: fa_file, data: string)
+	{
+	print "data3", f$id, data;
+	}
+
+event Spicy::max_file_depth_exceeded(f: fa_file, args: Files::AnalyzerArgs, limit: count)
+	{
+	print "depth warning", f$id, args, limit;
+	}
+
+# @TEST-START-FILE text.spicy
+module Text;
+
+import zeek;
+import zeek_file;
+
+# This unit uses the zeek_file::File wrapper to pass data into Zeek's file analysis.
+public type Data1 = unit {
+    on %init {
+        self.content.connect(new zeek_file::File("text/plain2"));
+        self.content.write(b"from 1:");
+        }
+
+    data: bytes &eod -> self.content;
+
+    sink content;
+};
+
+# This unit passes data into Zeek's file analysis directly, without the File wrapper.
+public type Data2 = unit {
+    data: bytes &eod {
+        zeek::file_begin("text/plain3");
+        zeek::file_data_in(b"from 2a:" + self.data);
+        zeek::file_end();
+
+        zeek::file_begin("text/plain3");
+        zeek::file_data_in(b"from 2b:" + self.data);
+        zeek::file_end();
+    }
+};
+
+public type Data3 = unit {
+    data: bytes &eod;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE text.evt
+
+file analyzer spicy::Text1:
+    parse with Text::Data1,
+    mime-type text/plain;
+
+file analyzer spicy::Text2:
+    parse with Text::Data2,
+    mime-type text/plain2;
+
+file analyzer spicy::Text3:
+    parse with Text::Data3,
+    mime-type text/plain3;
+
+on Text::Data1 -> event text::data1($file, self.data);
+on Text::Data2 -> event text::data2($file, self.data);
+on Text::Data3 -> event text::data3($file, self.data);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/file-analyzer-property.zeek b/testing/btest/spicy/file-analyzer-property.zeek
new file mode 100644
index 0000000000..bd826b67d4
--- /dev/null
+++ b/testing/btest/spicy/file-analyzer-property.zeek
@@ -0,0 +1,27 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto text.spicy ./text.evt
+# @TEST-EXEC: zeek -r ${TRACES}/http/post.trace test.hlto %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+event text::data(f: fa_file, data: string)
+	{
+	print "text data", f$id, data;
+	}
+
+# @TEST-START-FILE text.spicy
+module Text;
+
+public type Data = unit {
+    %mime-type = "text/plain";
+    data: bytes &eod;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE text.evt
+
+file analyzer spicy::Text:
+    parse with Text::Data;
+
+on Text::Data -> event text::data($file, self.data);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/file-analyzer.zeek b/testing/btest/spicy/file-analyzer.zeek
new file mode 100644
index 0000000000..65e7c89115
--- /dev/null
+++ b/testing/btest/spicy/file-analyzer.zeek
@@ -0,0 +1,46 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto text.spicy ./text.evt
+# @TEST-EXEC: zeek -r ${TRACES}/http/post.trace test.hlto %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff weird.log
+
+event zeek_init()
+	{
+	# Check we can access the tag.
+	print Files::ANALYZER_SPICY_TEXT;
+	}
+
+event text::data(f: fa_file, data: string)
+	{
+	print "text data", f$id, data;
+	}
+
+# @TEST-START-FILE text.spicy
+module Text;
+
+import zeek;
+
+public type Data = unit {
+    data: bytes &eod;
+
+    on %done {
+        # File ID isn't stable across platforms, so just check expected length.
+        assert |zeek::fuid()| == 18;
+        zeek::weird("test_weird");
+    }
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE text.evt
+
+file analyzer spicy::Text:
+    parse with Text::Data,
+
+    # Note that Zeek determines the MIME type not from the Content-Type
+    # header in the trace, but by content sniffing (i.e., libmagic-style)
+    mime-type text/plain;
+    #mime-type application/x-www-form-urlencoded;
+
+on Text::Data -> event text::data($file, self.data);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/file-data-in-at-offset.zeek b/testing/btest/spicy/file-data-in-at-offset.zeek
new file mode 100644
index 0000000000..21e62f27cf
--- /dev/null
+++ b/testing/btest/spicy/file-data-in-at-offset.zeek
@@ -0,0 +1,47 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh-cond.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T | sort  >output
+#
+# @TEST-EXEC: cat x509.log | grep -v ^# | cut -f 4-5 >x509.log.tmp && mv x509.log.tmp x509.log
+# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+import spicy;
+import zeek;
+
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+};
+
+# this is a bit of cheating...
+
+on Banner::%done {
+    local d: spicy::Base64Stream;
+    local dec : bytes = spicy::base64_decode(d, b"MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEyMTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3QgU2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnvUA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRrmBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++AcxGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmKFsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7XrJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7HTgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoNFvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrzmqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wWIRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZUSpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==");
+    dec += spicy::base64_finish(d);
+    local id = zeek::file_begin("application/x-x509-ca-cert");
+    print id;
+    zeek::file_data_in_at_offset(dec, 0);
+    zeek::file_end();
+}
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh-cond.evt
+
+import zeek;
+
+protocol analyzer spicy::SSH over TCP:
+    parse with SSH::Banner,
+    port 22/tcp,
+    replaces SSH;
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/file-replaces.zeek b/testing/btest/spicy/file-replaces.zeek
new file mode 100644
index 0000000000..55addc5084
--- /dev/null
+++ b/testing/btest/spicy/file-replaces.zeek
@@ -0,0 +1,117 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o pe.hlto pe.spicy zeek_pe.spicy pe.evt
+# @TEST-EXEC: zeek -r ${TRACES}/pe/pe-single.trace pe.hlto %INPUT ENABLE=T
+# @TEST-EXEC: cat files.log | zeek-cut source analyzers filename mime_type >>output
+# @TEST-EXEC: zeek -r ${TRACES}/pe/pe-single.trace pe.hlto %INPUT ENABLE=F
+# @TEST-EXEC: cat files.log | zeek-cut source analyzers filename mime_type >>output
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Test replacing an existing file analyzer, and also toggling the Spicy one on and off
+
+const ENABLE = T &redef;
+
+event zeek_init() {
+    if ( ENABLE )
+        Spicy::enable_file_analyzer(Files::ANALYZER_SPICY_PE);
+    else
+        Spicy::disable_file_analyzer(Files::ANALYZER_SPICY_PE);
+}
+
+event pe_dos_header(f: fa_file, h: PE::DOSHeader)
+	{
+	print "pe_dos_header", h;
+	}
+
+# @TEST-START-FILE pe.spicy
+module PE;
+import spicy;
+%byte-order = spicy::ByteOrder::Little;
+
+public type ImageFile = unit {
+    %mime-type = "application/x-dosexec";
+
+    dosHeader: DOS_Header;
+};
+
+type DOS_Header = unit {
+    magic:                  b"MZ";
+    bytesInLastPage:        uint16;
+    pagesInFile:            uint16;
+    relocations:            uint16;
+    paragraphsInHeader:     uint16;
+    minExtraParagraphs:     uint16;
+    maxExtraParagraphs:     uint16;
+    initialRelativeSS:      uint16;
+    initialSP:              uint16;
+    checksum:               uint16;
+    initialIP:              uint16;
+    initialRelativeCS:      uint16;
+    relocationTableAddress: uint16;
+    overlayNumber:          uint16;
+    reserved1:              bytes &size=8;
+    oemID:                  uint16;
+    oemInfo:                uint16;
+    reserved2:              bytes &size=20;
+    peHeaderOffset:         uint32;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE zeek_pe.spicy
+module Zeek_PE;
+import PE;
+
+type DOSHeader = tuple<
+    signature                : bytes,
+    used_bytes_in_last_page  : uint64,
+    file_in_pages            : uint64,
+    num_reloc_items          : uint64,
+    header_in_paragraphs     : uint64,
+    min_extra_paragraphs     : uint64,
+    max_extra_paragraphs     : uint64,
+    init_relative_ss         : uint64,
+    init_sp                  : uint64,
+    checksum                 : uint64,
+    init_ip                  : uint64,
+    init_relative_cs         : uint64,
+    addr_of_reloc_table      : uint64,
+    overlay_num              : uint64,
+    oem_id                   : uint64,
+    oem_info                 : uint64,
+    addr_of_new_exe_header   : uint64
+    >;
+
+public function makeDOSHeader(h: PE::DOS_Header): DOSHeader
+    {
+    return (
+            b"MZ (Spicy)",
+            h.bytesInLastPage,
+            h.pagesInFile,
+            h.relocations,
+            h.paragraphsInHeader,
+            h.minExtraParagraphs,
+            h.maxExtraParagraphs,
+            h.initialRelativeSS,
+            h.initialSP,
+            h.checksum,
+            h.initialIP,
+            h.initialRelativeCS,
+            h.relocationTableAddress,
+            h.overlayNumber,
+            h.oemID,
+            h.oemInfo,
+            h.peHeaderOffset,
+           );
+    }
+# @TEST-END-FILE
+
+# @TEST-START-FILE pe.evt
+file analyzer spicy::PE:
+    parse with PE::ImageFile,
+    replaces PE,
+    mime-type application/x-dosexec;
+
+import Zeek_PE;
+
+on PE::DOS_Header -> event pe_dos_header($file, Zeek_PE::makeDOSHeader(self));
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/gap-recovery.zeek b/testing/btest/spicy/gap-recovery.zeek
new file mode 100644
index 0000000000..3cca9775fa
--- /dev/null
+++ b/testing/btest/spicy/gap-recovery.zeek
@@ -0,0 +1,47 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o analyzer.hlto analyzer.spicy analyzer.evt
+# @TEST-EXEC: zeek -Cr ${TRACES}/spicy/gap-recovery.pcap analyzer.hlto Spicy::enable_print=T >output 2>&1
+# @TEST-EXEC: if spicy-version 10503; then btest-diff output; else OUT=output-before-spicy-issue-1303; mv output "$OUT"; btest-diff "$OUT"; fi
+#
+# @TEST-DOC: Tests that parsers can resynchronize on gaps.
+
+# @TEST-START-FILE analyzer.evt
+protocol analyzer spicy::HTTP over TCP:
+    parse originator with test::Requests,
+    parse responder with test::Responses,
+    port 9000/tcp,
+    replaces HTTP;
+# @TEST-END-FILE
+
+# @TEST-START-FILE analyzer.spicy
+module test;
+public type Requests = unit {
+    %port = 9000/tcp &originator;
+    requests: (Request &synchronize)[] foreach { confirm; }
+    on %done { print self; }
+};
+
+type Request = unit {
+    marker: /GET/;
+    : /[^\r?\n]+\r?\n/;
+    : (/[^\r?\n]*:[^\r?\n]*\r?\n/)[];
+    : /\r?\n/;
+};
+
+public type Responses = unit {
+    %port = 9000/tcp &responder;
+    responses: (Response &synchronize)[] foreach { confirm; }
+    on %done { print self; }
+};
+
+type Response = unit {
+    marker: /HTTP/;
+    : /[^\r?\n]+\r?\n/;
+    : /content-length: /;
+    len: bytes &until=b"\r\n" &convert=cast<uint64>($$.to_int());
+    : (/[^\r?\n]*:[^\r?\n]*\r?\n/)[];
+    : /\r?\n/;
+    : bytes &size=self.len;
+};
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/import-from.zeek b/testing/btest/spicy/import-from.zeek
new file mode 100644
index 0000000000..baefb4503b
--- /dev/null
+++ b/testing/btest/spicy/import-from.zeek
@@ -0,0 +1,57 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: mkdir -p a/b/c && mv y.spicy a/b/c
+# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace  test.hlto %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+event ssh::test(x: string, y: string)
+	{
+	print x, y;
+	}
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+public type Banner = unit {
+    %port = 22/tcp;
+
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+
+    on %done {}
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE x.spicy
+
+module X;
+
+public function x()  : string {
+    return "Foo::x";
+}
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE y.spicy
+
+module Y;
+
+public function y()  : string {
+    return "Foo::y";
+}
+
+# @TEST-END-FILE
+
+
+# @TEST-START-FILE ssh.evt
+protocol analyzer spicy::SSH over TCP:
+    parse with SSH::Banner;
+
+import X;
+import Y from a.b.c;
+
+on SSH::Banner -> event ssh::test(X::x(), Y::y());
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/list-conversion.zeek b/testing/btest/spicy/list-conversion.zeek
new file mode 100644
index 0000000000..129e7b1e69
--- /dev/null
+++ b/testing/btest/spicy/list-conversion.zeek
@@ -0,0 +1,54 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto listconv.spicy ./listconv.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+@TEST-START-FILE listconv.spicy
+
+module listconv;
+
+public function bro_convert(a: uint8) : tuple<uint64, uint64> {
+    return (a, a + 1);
+}
+
+public type Test = unit {
+    a: uint8[5];
+    b: int16;
+    c: uint16;
+};
+
+@TEST-END-FILE
+
+@TEST-START-FILE listconv.evt
+
+protocol analyzer listconv over TCP:
+    parse originator with listconv::Test,
+    port 22/tcp;
+
+on listconv::Test -> event listconv::test($conn,
+                                  $is_orig,
+                                  [listconv::bro_convert(i) for i in self.a],
+                                  self.b,
+                                  self.c
+                                  );
+
+@TEST-END-FILE
+
+type int_tuple: record {
+  a: count;
+  b: count;
+};
+
+event listconv::test(x: connection,
+                 is_orig: bool,
+                 a: vector of int_tuple,
+                 b: int,
+                 c: count
+                ) {
+  print x$id;
+  print is_orig;
+  print a;
+  print b;
+  print c;
+}
diff --git a/testing/btest/spicy/module-path.spicy b/testing/btest/spicy/module-path.spicy
new file mode 100644
index 0000000000..40a664cc6c
--- /dev/null
+++ b/testing/btest/spicy/module-path.spicy
@@ -0,0 +1,11 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o x.hlto %INPUT
+# @TEST-EXEC: zeek -b Zeek::Spicy x.hlto Spicy::enable_print=T >>output
+# @TEST-EXEC: mkdir -p y/z && mv x.hlto y/z
+# @TEST-EXEC: ZEEK_SPICY_MODULE_PATH=FOO:y:BAR zeek -b Zeek::Spicy Spicy::enable_print=T >>output
+# @TEST-EXEC: btest-diff output
+
+module Test;
+
+print "Got it";
diff --git a/testing/btest/spicy/multiple-enum.zeek b/testing/btest/spicy/multiple-enum.zeek
new file mode 100644
index 0000000000..8a5a849259
--- /dev/null
+++ b/testing/btest/spicy/multiple-enum.zeek
@@ -0,0 +1,41 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto dtest.spicy ./dtest.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT | sort >output
+# @TEST-EXEC: btest-diff output
+
+event dtest_one(x: dtest::RESULT) {
+    print "one", x;
+}
+
+event dtest_two(x: dtest::RESULT) {
+    print "two", x;
+}
+
+# @TEST-START-FILE dtest.evt
+
+protocol analyzer spicy::dtest over TCP:
+    parse originator with dtest::Message,
+    port 22/tcp;
+
+on dtest::Message if ( self.sswitch == 83 )
+  -> event dtest_one(self.result);
+
+on dtest::Message if ( self.sswitch != 83 )
+  -> event dtest_two(self.result);
+
+# @TEST-END-FILE
+# @TEST-START-FILE dtest.spicy
+
+module dtest;
+
+public type RESULT = enum {
+ A, B = 83, C, D, E, F
+};
+
+public type Message = unit {
+  sswitch: uint8;
+  result: uint8 &convert=RESULT($$);
+};
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/network-time.spicy b/testing/btest/spicy/network-time.spicy
new file mode 100644
index 0000000000..59306c8a86
--- /dev/null
+++ b/testing/btest/spicy/network-time.spicy
@@ -0,0 +1,26 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto %INPUT ./udp-test.evt
+# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap test.hlto Spicy::enable_print=T >output
+# @TEST-EXEC: btest-diff output
+
+module Test;
+
+import zeek;
+
+# Before any processing has started the network time should be zero.
+assert(zeek::network_time() == time(0));
+
+public type Message = unit {
+    data: bytes &eod {
+        # For real traffic we would expect the network time to increase as we progress.
+        print zeek::network_time().nanoseconds();
+    }
+};
+
+# @TEST-START-FILE udp-test.evt
+protocol analyzer spicy::TEST over UDP:
+    parse with Test::Message,
+    port 11337/udp-11340/udp,
+    ports {31337/udp-31340/udp};
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/optional.zeek b/testing/btest/spicy/optional.zeek
new file mode 100644
index 0000000000..8b848abdbc
--- /dev/null
+++ b/testing/btest/spicy/optional.zeek
@@ -0,0 +1,39 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o foo.hlto foo.spicy foo.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace foo.hlto %INPUT > output 2>&1
+# @TEST-EXEC: btest-diff output
+
+type R: record {
+    x: vector of int &optional;
+};
+
+event foo_result_tuple(r: R) {
+    print(r);
+}
+
+# @TEST-START-FILE foo.evt
+
+protocol analyzer spicy::foo over TCP:
+    parse originator with Foo::Message,
+    port 22/tcp;
+
+on Foo::Message -> event foo_result_tuple(Foo::bro_result(self));
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE foo.spicy
+
+module Foo;
+
+public type Message = unit {
+  : uint8;
+  : uint8;
+};
+
+public function bro_result(entry: Message) : tuple<optional<uint8>> {
+    local y: optional<uint8>;
+    return (y, );
+}
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/packet-analyzer-on-ip.zeek b/testing/btest/spicy/packet-analyzer-on-ip.zeek
new file mode 100644
index 0000000000..a4b8b45346
--- /dev/null
+++ b/testing/btest/spicy/packet-analyzer-on-ip.zeek
@@ -0,0 +1,37 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto spicy/raw-layer.pcap.spicy spicy/raw-layer.pcap.evt
+# @TEST-EXEC: zeek -r ${TRACES}/dns/proto255.pcap test.hlto %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+module PacketAnalyzer::SPICY_RAWLAYER;
+
+event zeek_init()
+	{
+	if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("IP", 255, "spicy_RawLayer") ) # modified trace to have IP proto 255
+		print "cannot register raw analyzer on top of IP";
+	}
+
+event raw::data(p: raw_pkt_hdr, data: string)
+	{
+    print fmt("MACs: src=%s dst=%s", p$l2$src, p$l2$dst);
+    print fmt("IPs : src=%s dst=%s", p$ip$src, p$ip$dst);
+	print fmt("raw bytes: %d", |data|);
+	}
+
+# @TEST-START-FILE spicy/raw-layer.pcap.spicy
+module RawLayer;
+
+import zeek;
+
+public type Packet = unit {
+    data: bytes &eod;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE spicy/raw-layer.pcap.evt
+packet analyzer spicy::RawLayer:
+    parse with RawLayer::Packet;
+
+on RawLayer::Packet::data -> event raw::data($packet, self.data);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/packet-analyzer-replaces.zeek b/testing/btest/spicy/packet-analyzer-replaces.zeek
new file mode 100644
index 0000000000..d902b91563
--- /dev/null
+++ b/testing/btest/spicy/packet-analyzer-replaces.zeek
@@ -0,0 +1,61 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o my-ethernet.hlto my-ethernet.spicy my-ethernet.evt
+# @TEST-EXEC: zeek -r ${TRACES}/dns53.pcap my-ethernet.hlto %INPUT ENABLE=T >output-on
+# @TEST-EXEC: zeek -r ${TRACES}/dns53.pcap my-ethernet.hlto %INPUT ENABLE=F >output-off
+# @TEST-EXEC: btest-diff output-on
+
+#
+# @TEST-DOC: Check that we can replace Zeek's Ethernet analyzer.
+#
+# Zeek logs look the same in both cases but we get some additional output
+# when our analyzer is running by raising a custom event.
+
+const ENABLE = T &redef;
+
+module MyEthernet;
+
+const DLT_EN10MB : count = 1;
+
+event zeek_init() &priority=-200
+	{
+	if ( ENABLE )
+		Spicy::enable_file_analyzer(PacketAnalyzer::ANALYZER_SPICY_MYETHERNET);
+	else
+		Spicy::disable_file_analyzer(PacketAnalyzer::ANALYZER_SPICY_MYETHERNET);
+}
+
+# The priority here needs to be higher than the standard script registering the
+# built-in Ethernet analyzer.
+event zeek_init() &priority=-100
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_EN10MB, PacketAnalyzer::ANALYZER_SPICY_MYETHERNET);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SPICY_MYETHERNET, 0x0800, PacketAnalyzer::ANALYZER_IP);
+	}
+
+event MyEthernet::data(p: raw_pkt_hdr, data: string)
+	{
+	print "My Ethernet:", data;
+	}
+
+# @TEST-START-FILE my-ethernet.spicy
+module MyEthernet;
+
+import zeek;
+
+public type Packet = unit {
+    ethernet: bytes &size=14;
+
+    on %done {
+        zeek::forward_packet(0x0800); # in practice, this wouldn't be hardcoded of course;
+    }
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE my-ethernet.evt
+packet analyzer spicy::MyEthernet:
+    parse with MyEthernet::Packet,
+    replaces Ethernet;
+
+on MyEthernet::Packet -> event MyEthernet::data($packet, self.ethernet);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/packet-analyzer-violation.zeek b/testing/btest/spicy/packet-analyzer-violation.zeek
new file mode 100644
index 0000000000..46c2ce4af7
--- /dev/null
+++ b/testing/btest/spicy/packet-analyzer-violation.zeek
@@ -0,0 +1,30 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o zeek_test.hlto analyzer.spicy analyzer.evt
+# @TEST-EXEC: HILTI_DEBUG=spicy zeek -Cr ${TRACES}/spicy/packet-analyzer-violation.pcap zeek_test.hlto %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Checks that packet analyzers correctly report violations. This is a regression test for #132.
+
+# @TEST-START-FILE analyzer.spicy
+module test;
+public type Foo = unit {
+  data: bytes &until=b"\xbe";
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE analyzer.evt
+import test;
+
+packet analyzer spicy::TEST:
+    parse with test::Foo;
+# @TEST-END-FILE
+
+module TEST;
+
+event zeek_init()
+{
+	if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet", 0x6666,
+	    "spicy_TEST") )
+		print "cannot register spicy analyzer";
+}
diff --git a/testing/btest/spicy/packet-analyzer.zeek b/testing/btest/spicy/packet-analyzer.zeek
new file mode 100644
index 0000000000..5870084a49
--- /dev/null
+++ b/testing/btest/spicy/packet-analyzer.zeek
@@ -0,0 +1,45 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto spicy/raw-layer.pcap.spicy spicy/raw-layer.pcap.evt
+# @TEST-EXEC: zeek -r ${TRACES}/spicy/raw-layer.pcap test.hlto %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff weird.log
+
+module PacketAnalyzer::SPICY_RAWLAYER;
+
+event zeek_init()
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x88b5, PacketAnalyzer::ANALYZER_SPICY_RAWLAYER);
+
+	if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("spicy_RawLayer", 0x4950, "IP") )
+		print "cannot register IP analyzer";
+	}
+
+event raw::data(p: raw_pkt_hdr, data: string)
+	{
+	print fmt("MACs: src=%s dst=%s", p$l2$src, p$l2$dst);
+	print "raw data", data;
+	}
+
+# @TEST-START-FILE spicy/raw-layer.pcap.spicy
+module RawLayer;
+
+import zeek;
+
+public type Packet = unit {
+    data: bytes &size=19;
+    protocol: uint16;
+
+    on %done {
+        zeek::forward_packet(self.protocol);
+        zeek::weird("test_weird");
+    }
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE spicy/raw-layer.pcap.evt
+packet analyzer spicy::RawLayer:
+    parse with RawLayer::Packet;
+
+on RawLayer::Packet::data -> event raw::data($packet, self.data);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/parse-error.zeek b/testing/btest/spicy/parse-error.zeek
new file mode 100644
index 0000000000..59f4897135
--- /dev/null
+++ b/testing/btest/spicy/parse-error.zeek
@@ -0,0 +1,36 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto test.evt test.spicy
+# @TEST-EXEC: HILTI_DEBUG=zeek zeek -r ${TRACES}/ssh/single-conn.trace misc/dump-events test.hlto %INPUT
+# Zeek versions differ in their quoting of the newline character in dpd.log (two slashes vs one).
+# @TEST-EXEC: cat dpd.log | sed 's#\\\\#\\#g' >dpd.log.tmp && mv dpd.log.tmp dpd.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff dpd.log
+#
+# @TEST-DOC: Trigger parse error after confirmation, should be recorded in dpd.log
+
+# @TEST-START-FILE test.spicy
+module SSH;
+
+import zeek;
+
+public type Banner = unit {
+    magic   : /SSH-/ { zeek::confirm_protocol(); }
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /KAPUTT/;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE test.evt
+
+protocol analyzer spicy::SSH over TCP:
+    parse originator with SSH::Banner,
+    port 22/tcp
+
+    # With Zeek < 5.0, DPD tracking doesn't work correctly for replaced
+    # analyzers because the ProtocolViolation() doesn't take a tag.
+    #
+    # replaces SSH
+    ;
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/port-fail.evt b/testing/btest/spicy/port-fail.evt
new file mode 100644
index 0000000000..f00efc6210
--- /dev/null
+++ b/testing/btest/spicy/port-fail.evt
@@ -0,0 +1,22 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC-FAIL: spicyz %INPUT -d -o x.hlto >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
+
+protocol analyzer spicy::SSH over TCP:
+    port 123456/udp;
+
+@TEST-START-NEXT
+
+protocol analyzer spicy::SSH over TCP:
+    port -1/udp;
+
+@TEST-START-NEXT
+
+protocol analyzer spicy::SSH over TCP:
+    port 1/udp-2/tcp;
+
+@TEST-START-NEXT
+
+protocol analyzer spicy::SSH over TCP:
+    port 2/udp-1/udp;
diff --git a/testing/btest/spicy/preprocessor-fail.evt b/testing/btest/spicy/preprocessor-fail.evt
new file mode 100644
index 0000000000..62961a2f05
--- /dev/null
+++ b/testing/btest/spicy/preprocessor-fail.evt
@@ -0,0 +1,37 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC-FAIL: spicyz -D zeek -d -o x.hlto %INPUT 2>output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
+
+@if ZEEK_VERSION < 90000
+
+# @TEST-START-NEXT
+
+@if ZEEK_VERSION >= 30000
+@else
+
+# @TEST-START-NEXT
+
+@else
+@endif
+
+# @TEST-START-NEXT
+
+@endif
+
+# @TEST-START-NEXT
+
+@if ZEEK_VERSION < 90000
+@if ZEEK_VERSION < 90000
+@if ZEEK_VERSION < 90000
+@else
+@endif
+# @TEST-START-NEXT
+
+@if ZEEK_VERSION >= thirtythousand
+@endif
+
+# @TEST-START-NEXT
+
+@if ZEEK_VERSION >= 3.0.0
+@endif
diff --git a/testing/btest/spicy/preprocessor-spicy.spicy b/testing/btest/spicy/preprocessor-spicy.spicy
new file mode 100644
index 0000000000..0c061df2b0
--- /dev/null
+++ b/testing/btest/spicy/preprocessor-spicy.spicy
@@ -0,0 +1,61 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: echo == spicyz >>output
+# @TEST-EXEC: spicyz -c x %INPUT
+# @TEST-EXEC: cat x_Foo.cc | grep print >>output
+#
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Test various Spicy preprocessor constructs
+#
+# Same test is part of Spicy itself as well, with different results.
+
+module Foo;
+
+@if   HAVE_ZEEK
+print "have zeek";
+@else
+print "not have zeek";
+@endif
+
+@if   !   HAVE_ZEEK
+print "not have zeek";
+@endif
+
+@if SPICY_VERSION
+print "have spicy version";
+@endif
+
+@if SPICY_VERSION    >=    400
+print "have spicy version >= 0.4";
+@endif
+
+@if SPICY_VERSION >= 40000
+print "have spicy version >= 4";
+@endif
+
+@if ! SPICY_VERSION >= 40000
+print "not have spicy version >= 4";
+@endif
+
+@if    UNKNOWiN
+no valid Spicy syntax here.
+@endif
+
+@if HAVE_ZEEK
+    @if ZEEK_VERSION > 10000
+    print "have zeek and zeek version > 1.0";
+    @else
+    print "have zeek but zeek version < 1.0";
+    @endif
+@else
+    print "have not zeek";
+@endif
+
+@if   HAVE_ZEEK
+    @if ZEEK_VERSION < 10000
+    print "have zeek and zeek version < 1.0";
+    @endif
+@else
+    print "have not zeek";
+@endif
diff --git a/testing/btest/spicy/preprocessor.evt b/testing/btest/spicy/preprocessor.evt
new file mode 100644
index 0000000000..970131ee1d
--- /dev/null
+++ b/testing/btest/spicy/preprocessor.evt
@@ -0,0 +1,40 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -D zeek -d -o x.hlto %INPUT 2>output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
+
+protocol analyzer YES_1 over TCP: parse with X;
+
+@if ZEEK_VERSION >= 30000
+    protocol analyzer YES_2 over TCP: parse with X;
+@endif
+
+@if ZEEK_VERSION < 90000
+    protocol analyzer YES_3 over TCP: parse with X;
+@endif
+
+@if ZEEK_VERSION >= 30000
+    protocol analyzer YES_4 over TCP: parse with X;
+@else
+    protocol analyzer NO_4 over TCP: parse with X;
+@endif
+
+@if ZEEK_VERSION < 30000
+    protocol analyzer NO_5 over TCP: parse with X;
+@else
+    protocol analyzer YES_5 over TCP: parse with X;
+@endif
+
+@if ZEEK_VERSION >= 20000
+    @if ZEEK_VERSION >= 90000
+        protocol analyzer NO_6 over TCP: parse with X;
+    @else
+        protocol analyzer YES_6 over TCP: parse with X;
+    @endif
+@else
+    @if ZEEK_VERSION < 90000
+        protocol analyzer YES_7 over TCP: parse with X;
+    @else
+        protocol analyzer NO_7 over TCP: parse with X;
+    @endif
+@endif
diff --git a/testing/btest/spicy/profiling.zeek b/testing/btest/spicy/profiling.zeek
new file mode 100644
index 0000000000..3f4743055c
--- /dev/null
+++ b/testing/btest/spicy/profiling.zeek
@@ -0,0 +1,37 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -Z -d -o ssh.hlto ssh.spicy ./ssh.evt
+# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy ssh.hlto %INPUT Spicy::enable_profiling=T >output 2>prof.log.raw
+# @TEST-EXEC: cat prof.log.raw | awk '{print $1, $2}' | egrep -v 'zeek/rt/debug|zeek/rt/internal_handler' >prof.log
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff prof.log
+#
+# @TEST-DOC: Tests that we get profiling information for the Spicy analyzer.
+
+event ssh::banner(c: connection, is_orig: bool, version: string, software: string)
+	{
+	print "SSH banner", c$id, is_orig, version, software;
+	}
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+import spicy;
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh.evt
+protocol analyzer spicy::SSH over TCP:
+    # no port, we're using the signature
+    parse with SSH::Banner,
+    port 22/tcp,
+    replaces SSH;
+
+on SSH::Banner -> event ssh::banner($conn, $is_orig, self.version, self.software);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/protocol-analyzer-data-in.zeek b/testing/btest/spicy/protocol-analyzer-data-in.zeek
new file mode 100644
index 0000000000..7aec5d7203
--- /dev/null
+++ b/testing/btest/spicy/protocol-analyzer-data-in.zeek
@@ -0,0 +1,57 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh-cond.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT
+# @TEST-EXEC: btest-diff http.log
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+import spicy;
+import zeek;
+
+type Context = tuple<data_chunks: uint64>;
+
+public type Banner = unit {
+    %context = Context;
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+};
+
+on Banner::%done {
+    zeek::protocol_begin("HTTP");
+
+    zeek::protocol_data_in(True, b"GET /etc/passwd1 HTTP/1.0\r\n\r\n");
+    zeek::protocol_data_in(False, b"HTTP/1.0 200 OK\r\nContent-Length: 0\r\n\r\n");
+
+    # We can get a handle to the existing HTTP analyzer.
+    local http1 = zeek::protocol_handle_get_or_create("HTTP");
+    zeek::protocol_data_in(True, b"GET /etc/passwd1.1 HTTP/1.0\r\n\r\n", http1);
+
+    # We can get another handle to the existing HTTP analyzer.
+    local http2 = zeek::protocol_handle_get_or_create("HTTP");
+    zeek::protocol_data_in(False, b"HTTP/1.0 200 OK\r\nContent-Length: 0\r\n\r\n", http2);
+    zeek::protocol_handle_close(http1);
+
+    zeek::protocol_end();  # Noop.
+
+    # Creating a DPD child analyzer creates no handle.
+    zeek::protocol_begin(); # DPD
+    zeek::protocol_data_in(True, b"GET /etc/passwd2 HTTP/1.0\r\n\r\n");
+    zeek::protocol_data_in(False, b"HTTP/1.0 200 OK\r\nContent-Length: 0\r\n\r\n");
+    zeek::protocol_end();
+}
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh-cond.evt
+
+import zeek;
+
+protocol analyzer spicy::SSH over TCP:
+    parse originator with SSH::Banner,
+    port 22/tcp,
+    replaces SSH;
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/protocol-analyzer-explicit-forwarding.zeek b/testing/btest/spicy/protocol-analyzer-explicit-forwarding.zeek
new file mode 100644
index 0000000000..d12541efd5
--- /dev/null
+++ b/testing/btest/spicy/protocol-analyzer-explicit-forwarding.zeek
@@ -0,0 +1,48 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o foo.hlto foo.spicy foo.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace foo.hlto %INPUT Spicy::enable_print=T >output
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE foo.spicy
+module foo;
+import zeek;
+
+public type X = unit {
+    xs: bytes &eod {
+	local y = zeek::protocol_handle_get_or_create("spicy_Y");
+	local z = zeek::protocol_handle_get_or_create("spicy_Z");
+
+	zeek::protocol_data_in(zeek::is_orig(), b"only Y", y);
+	zeek::protocol_data_in(zeek::is_orig(), b"both Y and Z");
+
+	zeek::protocol_handle_close(z);
+	zeek::protocol_data_in(zeek::is_orig(), b"only Y after removal of Z");
+
+	zeek::protocol_handle_close(y);
+	zeek::protocol_data_in(zeek::is_orig(), b"goes nowhere");
+    }
+};
+
+public type Y = unit {
+    ys: bytes &eod &chunked { print "ys=%s" % $$; }
+};
+
+public type Z = unit {
+    zs: bytes &eod &chunked { print "zs=%s" % $$; }
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE foo.evt
+# Analyzer instantiated from Zeek based on the traffic.
+protocol analyzer spicy::X over TCP:
+    parse originator with foo::X,
+    port 22/tcp,
+    replaces SSH;
+
+# Analyzers which will only be instantiated explicitly by us.
+protocol analyzer spicy::Y over TCP:
+    parse originator with foo::Y;
+protocol analyzer spicy::Z over TCP:
+    parse originator with foo::Z;
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/protocol-analyzer-tcp-over-udp.spicy b/testing/btest/spicy/protocol-analyzer-tcp-over-udp.spicy
new file mode 100644
index 0000000000..62c009d3de
--- /dev/null
+++ b/testing/btest/spicy/protocol-analyzer-tcp-over-udp.spicy
@@ -0,0 +1,28 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto %INPUT ./foo.evt
+# @TEST-EXEC: zeek -Cr ${TRACES}/ssh/ssh-over-udp.pcap test.hlto
+# @TEST-EXEC: btest-diff ssh.log
+#
+# @TEST-DOC: Pass data from inside a UDP analyzer to a Zeek analyzers that works on top of TCP. Regression tests for #92 and also #91.
+#
+
+module Foo;
+
+import spicy;
+import zeek;
+
+public type Bar = unit {
+    on %init { zeek::protocol_begin("SSH"); }
+    data: bytes &eod { zeek::protocol_data_in(zeek::is_orig(), $$); }
+};
+
+# @TEST-START-FILE foo.evt
+
+import zeek;
+
+protocol analyzer spicy::Foo over UDP:
+    parse with Foo::Bar,
+    port 1234/udp;
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/replaces-mismatch.zeek b/testing/btest/spicy/replaces-mismatch.zeek
new file mode 100644
index 0000000000..b4cc9d6d16
--- /dev/null
+++ b/testing/btest/spicy/replaces-mismatch.zeek
@@ -0,0 +1,25 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o ssh.hlto ssh.spicy ./ssh.evt
+# @TEST-EXEC-FAIL: zeek -r ${TRACES}/ssh/single-conn.trace ssh.hlto >output 2>&1
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Attempt to replace a packet analyzer with a protocol analyzer
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+import zeek;
+
+public type Banner = unit {
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh.evt
+
+protocol analyzer spicy::SSH over TCP:
+    parse with SSH::Banner,
+    port 22/tcp,
+    replaces Ethernet; # fail
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/replaces.zeek b/testing/btest/spicy/replaces.zeek
new file mode 100644
index 0000000000..eabdcbcb6e
--- /dev/null
+++ b/testing/btest/spicy/replaces.zeek
@@ -0,0 +1,45 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: mkdir -p modules
+# @TEST-EXEC: spicyz -d -o modules/ssh.hlto ssh.spicy ./ssh.evt
+# @TEST-EXEC: ZEEK_SPICY_MODULE_PATH=$(pwd)/modules zeek -r ${TRACES}/ssh/single-conn.trace %INPUT | sort >output
+# @TEST-EXEC: btest-diff output
+#
+# We use the module search path for loading here as a regression test for #137.
+# Note that this that problem only showed up when the Spicy plugin was built
+# into Zeek.
+
+event ssh::banner(c: connection, is_orig: bool, version: string, software: string)
+	{
+	print "SSH banner", c$id, is_orig, version, software;
+	}
+
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
+    {
+    print atype, aid;
+    }
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+import zeek;
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+
+    on %done { zeek::confirm_protocol(); }
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh.evt
+
+protocol analyzer spicy::SSH over TCP:
+    parse with SSH::Banner,
+    port 22/tcp,
+    replaces SSH;
+
+on SSH::Banner -> event ssh::banner($conn, $is_orig, self.version, self.software);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/resource-usage.zeek b/testing/btest/spicy/resource-usage.zeek
new file mode 100644
index 0000000000..3181c45950
--- /dev/null
+++ b/testing/btest/spicy/resource-usage.zeek
@@ -0,0 +1,26 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto test.evt test.spicy
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto Zeek/Spicy/misc/resource-usage | sed 's/=[^ ]*/=XXX/g' >output
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Exercise the misc/resource-usage.zeek script.
+
+# @TEST-START-FILE test.spicy
+module SSH;
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /KAPUTT/;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE test.evt
+
+protocol analyzer spicy::SSH over TCP:
+    parse originator with SSH::Banner,
+    port 22/tcp;
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/reuse-parser-across-hltos.zeek b/testing/btest/spicy/reuse-parser-across-hltos.zeek
new file mode 100644
index 0000000000..2cac28bf69
--- /dev/null
+++ b/testing/btest/spicy/reuse-parser-across-hltos.zeek
@@ -0,0 +1,70 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o foo.hlto foo.spicy foo.evt
+# @TEST-EXEC: spicyz -d -o bar.hlto bar.spicy bar.evt foo.spicy
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace foo.hlto %INPUT | sort >>output
+# @TEST-EXEC: echo >>output
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace bar.hlto %INPUT | sort >>output
+# @TEST-EXEC: echo >>output
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace foo.hlto bar.hlto %INPUT | sort >>output
+# @TEST-EXEC: echo >>output
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace bar.hlto foo.hlto %INPUT | sort >>output
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Check that HLTOs remain isolated from each other when reusing another's units.
+#
+# The events triggered should reflect what's being loaded, and not depend on any loading ordering either.
+
+event foo::test(x: string)
+	{
+	print "foo", x;
+	}
+
+event bar::test(x: string)
+	{
+	print "bar", x;
+	}
+
+# @TEST-START-FILE foo.spicy
+module Foo;
+
+public type Banner = unit {
+    %port = 22/tcp;
+
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+};
+# @TEST-END-FILE
+#
+# @TEST-START-FILE foo.evt
+import Foo;
+
+protocol analyzer spicy::Foo over TCP:
+    parse with Foo::Banner;
+
+on Foo::Banner -> event foo::test(self.version);
+# @TEST-END-FILE
+
+# @TEST-START-FILE bar.spicy
+module Bar;
+
+import Foo;
+
+public type Banner = unit {
+    %port = 22/tcp;
+    x: Foo::Banner;
+};
+
+# @TEST-END-FILE
+#
+# @TEST-START-FILE bar.evt
+import Foo;
+import Bar;
+
+protocol analyzer spicy::Bar over TCP:
+    parse with Bar::Banner;
+
+on Foo::Banner -> event bar::test(self.version);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/spicy-dump.spicy b/testing/btest/spicy/spicy-dump.spicy
index 5ce7eca37a..e7016195a7 100644
--- a/testing/btest/spicy/spicy-dump.spicy
+++ b/testing/btest/spicy/spicy-dump.spicy
@@ -1,8 +1,9 @@
-# @TEST-DOC: Smoke test for a bundled Spicy.
+# @TEST-REQUIRES: have-spicy && test -x ${BUILD}/auxil/spicy/bin/spicy-dump
 #
-# @TEST-REQUIRES: $SCRIPTS/have-spicy
-# @TEST-EXEC: printf 12345 | ${BUILD}/auxil/spicy/spicy/bin/spicy-dump -d %INPUT >output
+# @TEST-EXEC: printf 12345 | ${BUILD}/auxil/spicy/bin/spicy-dump -d %INPUT >output
 # @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Smoke test for a bundled Spicy.
 
 module test;
 
diff --git a/testing/btest/spicy/spicyz.test b/testing/btest/spicy/spicyz.test
index 7abbf30745..1f1b79d09c 100644
--- a/testing/btest/spicy/spicyz.test
+++ b/testing/btest/spicy/spicyz.test
@@ -1,10 +1,11 @@
-# @TEST-DOC: Smoke test for a custom ahead-of-time compiled Spicy analyzer hooked into Zeek.
+# @TEST-REQUIRES: have-spicy
 #
-# @TEST-REQUIRES: $SCRIPTS/have-spicy
-# @TEST-EXEC: ${BUILD}/src/builtin-plugins/spicy-plugin/bin/spicyz test.spicy test.evt -o test.hlto
+# @TEST-EXEC: spicyz test.spicy test.evt -d -o test.hlto
 # @TEST-EXEC: zeek -NN test.hlto | grep -q ANALYZER_SPICY_TEST
 # @TEST-EXEC: zeek -r ${TRACES}/http/post.trace test.zeek test.hlto "Spicy::enable_print = T;" >>output 2>&1
 # @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Smoke test for a custom ahead-of-time compiled Spicy analyzer hooked into Zeek.
 
 # @TEST-START-FILE test.spicy
 module test;
diff --git a/testing/btest/spicy/ssh-banner.zeek b/testing/btest/spicy/ssh-banner.zeek
new file mode 100644
index 0000000000..e932517ec8
--- /dev/null
+++ b/testing/btest/spicy/ssh-banner.zeek
@@ -0,0 +1,75 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o ssh.hlto ssh.spicy ./ssh.evt
+# @TEST-EXEC: echo === confirmation >>output
+# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace -s ./ssh.sig Zeek::Spicy base/frameworks/notice/weird ssh.hlto %INPUT ./extern.zeek | sort >>output
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: echo === violation >>output
+# Note: The following removes the payload data from the violation log, as that's a recent addition that breaks older version. Can remove later.
+# @TEST-EXEC: zeek -r ${TRACES}/http/post.trace -s ./ssh.sig Zeek::Spicy ssh.hlto  ./extern.zeek %INPUT | sed 's/ \[POST.*//g' | sort >>output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-remove-abspath btest-diff output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff analyzer.log
+# @TEST-EXEC: test '!' -f reporter.log
+
+
+event ssh::banner(c: connection, is_orig: bool, version: string, software: string)
+	{
+	print "SSH banner", c$id, is_orig, version, software;
+	}
+
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
+	{
+	if ( atype == Analyzer::ANALYZER_SPICY_SSH )
+	    print "confirm", atype;
+	}
+
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string)
+	{
+	if ( atype == Analyzer::ANALYZER_SPICY_SSH )
+	    print "violation", atype, reason;
+	}
+
+# @TEST-START-FILE extern.zeek
+
+module Foo;
+
+event ssh::banner(c: connection, is_orig: bool, version: string, software: string)
+	{
+	print "SSH banner in Foo", c$id, is_orig, version, software;
+	}
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+import spicy;
+import zeek;
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/ { zeek::weird("my_weird", $$.decode()); }
+
+    on %done { spicy::accept_input(); assert zeek::uid() == "CHhAvVGS1DHFjwGM9"; }
+    on %error { spicy::decline_input("kaputt"); }
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh.sig
+
+signature ssh_server {
+    ip-proto == tcp
+    payload /./
+    enable "spicy_SSH"
+    tcp-state responder
+}
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh.evt
+protocol analyzer spicy::SSH over TCP:
+    # no port, we're using the signature
+    parse with SSH::Banner;
+
+on SSH::Banner -> event ssh::banner($conn, $is_orig, self.version, self.software);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/terminate-session.zeek b/testing/btest/spicy/terminate-session.zeek
new file mode 100644
index 0000000000..6f22c4e7ec
--- /dev/null
+++ b/testing/btest/spicy/terminate-session.zeek
@@ -0,0 +1,41 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto test.spicy test.evt
+# @TEST-EXEC: zeek -b -r ${TRACES}/dns/long-connection.pcap Zeek::Spicy test.hlto base/protocols/conn %INPUT
+# @TEST-EXEC: cat conn.log | zeek-cut uid -C > conn.log2 && mv conn.log2 conn.log
+# @TEST-EXEC: btest-diff conn.log
+#
+# @TEST-DOC: Validate that `terminate_session` indeed flushes Zeek-side connection state
+#
+# We expect to see two conn.log entries instead of one.
+
+redef likely_server_ports += { 53/udp }; # avoid flipping direction after termination
+redef udp_inactivity_timeout = 24hrs; # avoid long gaps to trigger removal
+
+# @TEST-START-FILE test.spicy
+module Test;
+
+import zeek;
+
+public type Foo = unit {
+    on %done {
+        self.context().counter = self.context().counter + 1;
+
+        # close the connection if it is too long
+        if ( self.context().counter >= 10 )
+            zeek::terminate_session();
+    }
+    x : /./;
+
+    %context = Counter;
+};
+
+type Counter = tuple<counter:int64>;
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE test.evt
+protocol analyzer spicy::Test over UDP:
+    port 53/udp,
+    parse originator with Test::Foo;
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/toggle-protocol-analyzer.zeek b/testing/btest/spicy/toggle-protocol-analyzer.zeek
new file mode 100644
index 0000000000..ef0077a473
--- /dev/null
+++ b/testing/btest/spicy/toggle-protocol-analyzer.zeek
@@ -0,0 +1,46 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -o ssh.hlto ssh.spicy ssh.evt
+# @TEST-EXEC: echo === >>output
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace ssh.hlto %INPUT ENABLE=T >>output;
+# @TEST-EXEC: echo === >>output
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace ssh.hlto %INPUT ENABLE=F >>output;
+# @TEST-EXEC: echo === >>output
+# @TEST-EXEC: btest-diff output
+#
+# @TEST-DOC: Check operation of Spicy::{enable,disable}_protocol_analyzer()
+
+const ENABLE = T &redef;
+
+event zeek_init() {
+    if ( ENABLE )
+        Spicy::enable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SSH);
+    else
+        Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SSH);
+}
+
+event ssh::banner(c: connection, is_orig: bool, version: string, software: string)
+	{
+	print "Spicy: SSH banner", c$id, is_orig, version, software;
+	}
+
+# @TEST-START-FILE ssh.spicy
+module SSH;
+
+import zeek;
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh.evt
+protocol analyzer spicy::SSH over TCP:
+    port 22/tcp,
+    parse originator with SSH::Banner;
+
+on SSH::Banner -> event ssh::banner($conn, $is_orig, self.version, self.software);
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/tuple-arg.zeek b/testing/btest/spicy/tuple-arg.zeek
new file mode 100644
index 0000000000..4b8a4be8bc
--- /dev/null
+++ b/testing/btest/spicy/tuple-arg.zeek
@@ -0,0 +1,48 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh-tuple.evt
+# @TEST-EXEC: HILTI_DEBUG=zeek zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT | sort >output
+# @TEST-EXEC: grep event .stderr | sort >>output
+# @TEST-EXEC: btest-diff output
+
+type Foo: record {
+    i: int;
+	s: string &optional;
+};
+
+event ssh::banner(f: Foo)
+	{
+	print f;
+	}
+
+# @TEST-START-FILE ssh.spicy
+
+module SSH;
+
+import zeek;
+
+public type Banner = unit {
+    magic   : /SSH-/;
+    version : /[^-]*/;
+    dash    : /-/;
+    software: /[^\r\n]*/;
+
+    unset_field: uint64 if ( False );
+
+    on %done { zeek::confirm_protocol(); }
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE ssh-tuple.evt
+
+protocol analyzer spicy::SSH over TCP:
+    parse originator with SSH::Banner,
+    port 22/tcp,
+    replaces SSH;
+
+on SSH::Banner -> event ssh::banner((1, self.software));
+on SSH::Banner -> event ssh::banner((2, self.?software));
+on SSH::Banner -> event ssh::banner((3, self.?unset_field));
+on SSH::Banner -> event ssh::banner((4, Null));
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/tuple-enum.zeek b/testing/btest/spicy/tuple-enum.zeek
new file mode 100644
index 0000000000..9918957b40
--- /dev/null
+++ b/testing/btest/spicy/tuple-enum.zeek
@@ -0,0 +1,42 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -o test.hlto tupleenum.spicy ./tupleenum.evt
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T | sort >output
+# @TEST-EXEC: btest-diff output
+
+type Foo: record {
+    i: TupleEnum::TestEnum;
+    j: count;
+};
+
+event enum_message(f: Foo) {
+	print f;
+}
+
+# @TEST-START-FILE tupleenum.evt
+
+protocol analyzer TupleEnum over TCP:
+    parse with TupleEnum::Message,
+    port 22/tcp,
+    replaces SSH;
+
+on TupleEnum::Message -> event enum_message( (self.a, cast<uint64>(self.b)) );
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE tupleenum.spicy
+
+module TupleEnum;
+
+public type TestEnum = enum {
+    A = 83, B = 84, C = 85
+};
+
+public type Message = unit {
+    a: uint8 &convert=TestEnum($$);
+    b: uint8;
+
+    on %done { print self; }
+};
+
+# @TEST-END-FILE
diff --git a/testing/btest/spicy/type-converter.zeek b/testing/btest/spicy/type-converter.zeek
new file mode 100644
index 0000000000..310470fd7d
--- /dev/null
+++ b/testing/btest/spicy/type-converter.zeek
@@ -0,0 +1,112 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -o test.hlto conv.spicy ./conv.evt
+# @TEST-EXEC: ASAN_OPTIONS=detect_leaks=0 zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T >output
+# @TEST-EXEC: btest-diff output
+
+@TEST-START-FILE conv.spicy
+
+module Conv;
+
+public type Test = unit {
+    a: bytes &size=5;
+    b: int16;
+    c: uint16;
+    d: bytes &size=1 &convert=3.14;
+    e: bytes &size=1 &convert=1.2.3.4;
+    f: bytes &size=1 &convert=[2001:0db8::1428:57ab];
+    g: bytes &size=1 &convert=True;
+    h: bytes &size=1 &convert="MyString";
+    i: bytes &size=1 &convert=time(1295415110.5);
+    j: bytes &size=1 &convert=interval(4.0);
+
+    var r: MyStruct = [$i = 11];
+    var s: set<uint64> = set<uint64>(1,2,3);
+    var t: tuple<a: int64, b: string> = (47, "foo"); # Tuple conversion will ignore element names.
+    var v: vector<bytes> = vector<bytes>(b"A", b"B", b"C");
+    var l: vector<bytes> = vector<bytes>(b"A", b"B", b"C");
+    var m: map<int64, string> = map(1: "A", 2: "B", 3: "C");
+
+    on %done { print self; }
+};
+
+type MyStruct = struct {
+    i: int64;
+    s: string &optional;
+};
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE conv.evt
+
+protocol analyzer Conv over TCP:
+    parse originator with Conv::Test,
+    port 22/tcp;
+
+on Conv::Test -> event conv::test($conn,
+                                  $is_orig,
+                                  self.a,
+                                  self.b,
+                                  self.c,
+                                  self.d,
+                                  self.e,
+                                  self.f,
+                                  self.g,
+                                  self.h,
+                                  self.i,
+                                  self.j,
+                                  self.r,
+                                  self.s,
+                                  self.t,
+                                  self.v,
+                                  self.l,
+                                  self.m
+                                  );
+
+@TEST-END-FILE
+
+type MyRecord: record {
+    i: int;
+    s: string &optional;
+};
+
+event conv::test(x: connection,
+                 is_orig: bool,
+                 a: string,
+                 b: int,
+                 c: count,
+                 d: double,
+                 e: addr,
+                 f: addr,
+                 g: bool,
+                 h: string,
+                 i: time,
+                 j: interval,
+                 r: MyRecord,
+                 s: set[count],
+                 t: MyRecord,
+                 v: vector of string,
+                 l: vector of string,
+                 m: table[int] of string
+                )
+    {
+    print x$id;
+    print is_orig;
+    print a;
+    print b;
+    print c;
+    print d;
+    print e;
+    print f;
+    print g;
+    print h;
+    print i;
+    print fmt("%f", j), type_name(j); # print as float as interval format differs between versions
+    print r;
+    print s;
+    print t;
+    print v;
+    print l;
+    print m;
+    }
diff --git a/testing/btest/spicy/udp.zeek b/testing/btest/spicy/udp.zeek
new file mode 100644
index 0000000000..d9eef7fd86
--- /dev/null
+++ b/testing/btest/spicy/udp.zeek
@@ -0,0 +1,33 @@
+# @TEST-REQUIRES: have-spicy
+#
+# @TEST-EXEC: spicyz -o test.hlto udp-test.spicy ./udp-test.evt
+# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap test.hlto %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+event zeek_init()
+	{
+	# Check we can access the tag.
+	print Analyzer::ANALYZER_SPICY_UDP_TEST;
+	}
+
+event udp_test::message(c: connection, is_orig: bool, data: string)
+	{
+	print "UDP packet", c$id, is_orig, data;
+	}
+
+# @TEST-START-FILE udp-test.spicy
+module UDPTest;
+
+public type Message = unit {
+    data: bytes &eod;
+};
+# @TEST-END-FILE
+
+# @TEST-START-FILE udp-test.evt
+protocol analyzer spicy::UDP_TEST over UDP:
+    parse with UDPTest::Message,
+    port 11337/udp-11340/udp,
+    ports {31337/udp-31340/udp};
+
+on UDPTest::Message -> event udp_test::message($conn, $is_orig, self.data);
+# @TEST-END-FILE
diff --git a/testing/btest/supervisor/config-cluster-multi-logger.zeek b/testing/btest/supervisor/config-cluster-multi-logger.zeek
new file mode 100644
index 0000000000..51a7cfb229
--- /dev/null
+++ b/testing/btest/supervisor/config-cluster-multi-logger.zeek
@@ -0,0 +1,94 @@
+
+# @TEST-PORT: SUPERVISOR_PORT
+# @TEST-PORT: LOGGER_PORT1
+# @TEST-PORT: LOGGER_PORT2
+
+# Run multiple loggers with the supervisor and verify the generated log files
+# contain their node names as log_suffix metadata within the log-queue directory.
+#
+# @TEST-EXEC: btest-bg-run zeek zeek -j -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: ls zeek/log-queue/test*logger-1__.log >> logs.out
+# @TEST-EXEC: ls zeek/log-queue/test*logger-2__.log >> logs.out
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed "s/[0-9][0-9]/XX/g"' btest-diff logs.out
+
+@load base/frameworks/cluster
+
+# Make both loggers log into the same log-queue directory.
+redef Log::default_rotation_dir = "../log-queue";
+
+global topic = "test-topic";
+
+module Test;
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		s: string;
+	} &log;
+}
+module GLOBAL;
+
+global pong_count = 0;
+
+event pong()
+	{
+	++pong_count;
+
+	if ( pong_count == 2 )
+		terminate();
+	}
+
+event ping()
+	{
+	Log::write(Test::LOG, [$s="test"]);
+	Broker::publish(topic, pong);
+	}
+
+event zeek_init()
+	{
+	Log::create_stream(Test::LOG, [$columns=Test::Log]);
+
+	if ( Supervisor::is_supervisor() )
+		{
+		Broker::subscribe(topic);
+		Broker::listen("127.0.0.1", to_port(getenv("SUPERVISOR_PORT")));
+		Broker::peer("127.0.0.1", to_port(getenv("LOGGER_PORT1")));
+		Broker::peer("127.0.0.1", to_port(getenv("LOGGER_PORT2")));
+
+		local cluster: table[string] of Supervisor::ClusterEndpoint;
+		cluster["logger-1"] = [
+			$role=Supervisor::LOGGER,
+			$host=127.0.0.1,
+			$p=to_port(getenv("LOGGER_PORT1")),
+		];
+
+		cluster["logger-2"] = [
+			$role=Supervisor::LOGGER,
+			$host=127.0.0.1,
+			$p=to_port(getenv("LOGGER_PORT2")),
+		];
+
+		for ( n, ep in cluster )
+			{
+			local sn = Supervisor::NodeConfig($name = n);
+			sn$cluster = cluster;
+			sn$directory = n;
+			local res = Supervisor::create(sn);
+
+			if ( res != "" )
+				print fmt("failed to create node %s: %s", n, res);
+			}
+		}
+	else
+		{
+		Broker::subscribe(topic);
+		Broker::peer("127.0.0.1", to_port(getenv("SUPERVISOR_PORT")));
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	if ( Supervisor::is_supervisor() )
+		Broker::publish(topic, ping);
+	}
diff --git a/testing/btest/supervisor/config-cluster.zeek b/testing/btest/supervisor/config-cluster.zeek
index 5be2f927ae..f551ec5044 100644
--- a/testing/btest/supervisor/config-cluster.zeek
+++ b/testing/btest/supervisor/config-cluster.zeek
@@ -11,14 +11,13 @@
 # @TEST-EXEC: btest-diff zeek/worker-1/stdout
 # @TEST-EXEC: btest-diff zeek/proxy-1/stdout
 
-@load base/frameworks/cluster
+@load policy/frameworks/cluster/experimental
 
 # So the supervised node doesn't terminate right away.
 redef exit_only_after_terminate=T;
 
 global supervisor_output_file: file;
 global topic = "test-topic";
-global peer_count = 0;
 
 event shutdown()
 	{
@@ -65,19 +64,10 @@ event zeek_init()
 		}
 	}
 
-event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
-	{
-	++peer_count;
-
-	if ( Supervisor::is_supervised() )
-		{
-		if ( Cluster::node == "manager" && peer_count == 4 )
-			Broker::publish(topic, shutdown);
-		}
-	}
-
-event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+event Cluster::Experimental::cluster_started()
 	{
+	if ( Cluster::node == "manager" )
+		Broker::publish(topic, shutdown);
 	}
 
 event zeek_done()
diff --git a/testing/builtin-plugins/Baseline/tests.plugins-exist/out b/testing/builtin-plugins/Baseline/tests.plugins-exist/out
index b2917349e8..303d5ee040 100644
--- a/testing/builtin-plugins/Baseline/tests.plugins-exist/out
+++ b/testing/builtin-plugins/Baseline/tests.plugins-exist/out
@@ -1,3 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 Zeek::PyLib - Plugin embedding Python, whoosh. (built-in)
 Demo::Foo - A Foo test analyzer (built-in)
+Demo::Version - Tries to use ZEEK_VERSION_NUMBER (built-in)
diff --git a/testing/builtin-plugins/Files/protocol-plugin/CMakeLists.txt b/testing/builtin-plugins/Files/protocol-plugin/CMakeLists.txt
index 53a50f3961..c7e685cd1e 100644
--- a/testing/builtin-plugins/Files/protocol-plugin/CMakeLists.txt
+++ b/testing/builtin-plugins/Files/protocol-plugin/CMakeLists.txt
@@ -1,9 +1,8 @@
-
 project(Zeek-Plugin-Demo-Foo)
 
 cmake_minimum_required(VERSION 3.5)
 
-if ( NOT ZEEK_DIST )
+if (NOT ZEEK_DIST)
     message(FATAL_ERROR "ZEEK_DIST not set")
 endif ()
 
diff --git a/testing/builtin-plugins/Files/py-lib-plugin/CMakeLists.txt b/testing/builtin-plugins/Files/py-lib-plugin/CMakeLists.txt
index ce8eb32c96..76936614fa 100644
--- a/testing/builtin-plugins/Files/py-lib-plugin/CMakeLists.txt
+++ b/testing/builtin-plugins/Files/py-lib-plugin/CMakeLists.txt
@@ -20,12 +20,12 @@ include_directories(BEFORE ${PYTHON_INCLUDE_DIR})
 zeek_plugin_begin(Zeek PyLib)
 
 file(GLOB cc_files RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" "plugin/src/*.cc")
-foreach(file ${cc_files})
+foreach (file ${cc_files})
     zeek_plugin_cc(${file})
 endforeach ()
 
 file(GLOB bif_files RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" "plugin/src/*.bif")
-foreach(file ${bif_files})
+foreach (file ${bif_files})
     zeek_plugin_bif(${file})
 endforeach ()
 
diff --git a/testing/builtin-plugins/Files/zeek-version-plugin/.btest-ignore b/testing/builtin-plugins/Files/zeek-version-plugin/.btest-ignore
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/builtin-plugins/Files/zeek-version-plugin/CMakeLists.txt b/testing/builtin-plugins/Files/zeek-version-plugin/CMakeLists.txt
new file mode 100644
index 0000000000..431677ab2b
--- /dev/null
+++ b/testing/builtin-plugins/Files/zeek-version-plugin/CMakeLists.txt
@@ -0,0 +1,15 @@
+project(Zeek-Plugin-Demo-Version)
+
+cmake_minimum_required(VERSION 3.15)
+
+if (NOT ZEEK_DIST)
+    message(FATAL_ERROR "ZEEK_DIST not set")
+endif ()
+
+set(CMAKE_MODULE_PATH ${ZEEK_DIST}/cmake)
+
+include(ZeekPlugin)
+
+zeek_plugin_begin(Demo Version)
+zeek_plugin_cc(src/Plugin.cc)
+zeek_plugin_end()
diff --git a/testing/builtin-plugins/Files/zeek-version-plugin/VERSION b/testing/builtin-plugins/Files/zeek-version-plugin/VERSION
new file mode 100644
index 0000000000..6e8bf73aa5
--- /dev/null
+++ b/testing/builtin-plugins/Files/zeek-version-plugin/VERSION
@@ -0,0 +1 @@
+0.1.0
diff --git a/testing/builtin-plugins/Files/zeek-version-plugin/src/Plugin.cc b/testing/builtin-plugins/Files/zeek-version-plugin/src/Plugin.cc
new file mode 100644
index 0000000000..dc5d9d7a88
--- /dev/null
+++ b/testing/builtin-plugins/Files/zeek-version-plugin/src/Plugin.cc
@@ -0,0 +1,31 @@
+
+#include "Plugin.h"
+
+#include <zeek/Reporter.h>
+#include <zeek/zeek-config.h>
+
+namespace btest::plugin::Demo_Version
+	{
+Plugin plugin;
+	}
+
+using namespace btest::plugin::Demo_Version;
+
+zeek::plugin::Configuration Plugin::Configure()
+	{
+	zeek::plugin::Configuration config;
+	config.name = "Demo::Version";
+	config.description = "Tries to use ZEEK_VERSION_NUMBER";
+	config.version.major = 1;
+	config.version.minor = 0;
+	config.version.patch = 0;
+	return config;
+	}
+
+void Plugin::InitPostScript()
+	{
+#ifndef ZEEK_VERSION_NUMBER
+#error "ZEEK_VERSION_NUMBER is not defined"
+#endif
+	zeek::reporter->Info("All good ZEEK_VERSION_NUMBER=%d\n", ZEEK_VERSION_NUMBER);
+	}
diff --git a/testing/builtin-plugins/Files/zeek-version-plugin/src/Plugin.h b/testing/builtin-plugins/Files/zeek-version-plugin/src/Plugin.h
new file mode 100644
index 0000000000..94eda107d2
--- /dev/null
+++ b/testing/builtin-plugins/Files/zeek-version-plugin/src/Plugin.h
@@ -0,0 +1,20 @@
+
+#pragma once
+
+#include <zeek/plugin/Plugin.h>
+
+namespace btest::plugin::Demo_Version
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+protected:
+	// Overridden from zeek::plugin::Plugin.
+	zeek::plugin::Configuration Configure() override;
+
+	void InitPostScript() override;
+	};
+
+extern Plugin plugin;
+
+	}
diff --git a/testing/builtin-plugins/tests/plugins-exist.zeek b/testing/builtin-plugins/tests/plugins-exist.zeek
index 229d809d69..454e29a8bd 100644
--- a/testing/builtin-plugins/tests/plugins-exist.zeek
+++ b/testing/builtin-plugins/tests/plugins-exist.zeek
@@ -2,4 +2,5 @@
 
 # @TEST-EXEC: zeek -N Zeek::PyLib >>out
 # @TEST-EXEC: zeek -N Demo::Foo >>out
+# @TEST-EXEC: zeek -N Demo::Version >>out
 # @TEST-EXEC: btest-diff out
diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing
index 275024bf19..d57e1cb4df 100644
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@@ -1 +1 @@
-63952e0fc5c88ff44752c586abe721ccb324003e
+828845c99306c6d5d6811fa42987de5b16f530b9
diff --git a/testing/external/commit-hash.zeek-testing-cluster b/testing/external/commit-hash.zeek-testing-cluster
index e96d775520..f3788d8653 100644
--- a/testing/external/commit-hash.zeek-testing-cluster
+++ b/testing/external/commit-hash.zeek-testing-cluster
@@ -1 +1 @@
-a3459c5c270b8ada31b5d05cd12d8519707ef23d
+89ca663fbe78b89d6a988f32c8cc270cc0f4db02
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index 8279cfae9b..c5dd200880 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-e16f299e2ddad6a3495113ff7b26120b6312b220
+b121bfe4d869f1f5e334505b970cd456558ef6a1
diff --git a/testing/scripts/diff-canonifier-spicy b/testing/scripts/diff-canonifier-spicy
new file mode 100755
index 0000000000..3fb4e2c2ba
--- /dev/null
+++ b/testing/scripts/diff-canonifier-spicy
@@ -0,0 +1,6 @@
+#! /usr/bin/env bash
+#
+# Remove unstable pieces in Zeek logs produced by thge Spicy tests.
+
+$(dirname $0)/diff-remove-timestamps |
+    $(dirname $0)/diff-remove-abspath
diff --git a/testing/scripts/spicy-version b/testing/scripts/spicy-version
new file mode 100755
index 0000000000..d9a685c04e
--- /dev/null
+++ b/testing/scripts/spicy-version
@@ -0,0 +1,13 @@
+#! /bin/sh
+#
+# Two usages:
+#     - Without argument, prints out the numerical Spicy version.
+#     - With a numerical Spicy version in $1, exit with true iff we have at least that version.
+
+version=$(spicy-config --version-number)
+
+if [ $# = 0 ]; then
+    echo "${version}"
+else
+    test "${version}" -ge "$1"
+fi
diff --git a/testing/scripts/spicy/README b/testing/scripts/spicy/README
new file mode 100644
index 0000000000..e531d0bcf6
--- /dev/null
+++ b/testing/scripts/spicy/README
@@ -0,0 +1,2 @@
+These are scripts kept for backwards compatibility with existing Spicy
+packages.
diff --git a/testing/scripts/spicy/canonify-zeek-log b/testing/scripts/spicy/canonify-zeek-log
new file mode 100755
index 0000000000..4cf49537e3
--- /dev/null
+++ b/testing/scripts/spicy/canonify-zeek-log
@@ -0,0 +1,14 @@
+#! /usr/bin/env bash
+#
+# Remove unstable pieces in Zeek logs.
+
+# Get us "modern" regexps with sed.
+if [ $(uname) == "Linux" ]; then
+    sed="sed -r"
+else
+    sed="sed -E"
+fi
+
+${sed} 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g' |
+    $(dirname $0)/diff-remove-timestamps |
+    $(dirname $0)/diff-remove-abspath
diff --git a/testing/scripts/spicy/canonify-zeek-log-sorted b/testing/scripts/spicy/canonify-zeek-log-sorted
new file mode 100755
index 0000000000..80d89fd9f5
--- /dev/null
+++ b/testing/scripts/spicy/canonify-zeek-log-sorted
@@ -0,0 +1,15 @@
+#! /usr/bin/env bash
+#
+# Remove unstable pieces in Zeek logs.
+
+# Get us "modern" regexps with sed.
+if [ $(uname) == "Linux" ]; then
+    sed="sed -r"
+else
+    sed="sed -E"
+fi
+
+${sed} 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g' |
+    $(dirname $0)/diff-sort |
+    $(dirname $0)/diff-remove-timestamps |
+    $(dirname $0)/diff-remove-abspath
diff --git a/testing/scripts/spicy/diff-remove-abspath b/testing/scripts/spicy/diff-remove-abspath
new file mode 100755
index 0000000000..e08d64d5e2
--- /dev/null
+++ b/testing/scripts/spicy/diff-remove-abspath
@@ -0,0 +1,12 @@
+#! /usr/bin/env bash
+#
+# Replace absolute paths with the basename.
+
+if [ $(uname) == "Linux" ]; then
+    sed="sed -r"
+else
+    sed="sed -E"
+fi
+
+$sed 's#/+#/#g' |
+    $sed 's#/([^	 :/]{1,}/){1,}([^	 :/]{1,})#<...>/\2#g'
diff --git a/testing/scripts/spicy/diff-remove-timestamps b/testing/scripts/spicy/diff-remove-timestamps
new file mode 100755
index 0000000000..30ea6d1817
--- /dev/null
+++ b/testing/scripts/spicy/diff-remove-timestamps
@@ -0,0 +1,12 @@
+#! /usr/bin/env bash
+#
+# Replace anything which looks like timestamps with XXXs (including the #start/end markers in logs).
+
+# Get us "modern" regexps with sed.
+if [ $(uname) == "Linux" ]; then
+    sed="sed -r"
+else
+    sed="sed -E"
+fi
+
+$sed -e 's/(^|[^0-9])([0-9]{9,10}\.[0-9]{1,8})/\1XXXXXXXXXX.XXXXXX/g' -e 's/^ *#(open|close).(19|20)..-..-..-..-..-../#\1 XXXX-XX-XX-XX-XX-XX/g'
diff --git a/testing/scripts/spicy/diff-sort b/testing/scripts/spicy/diff-sort
new file mode 100755
index 0000000000..66e2893c80
--- /dev/null
+++ b/testing/scripts/spicy/diff-sort
@@ -0,0 +1,19 @@
+#! /usr/bin/env bash
+#
+# A diff canonifier that sorts all lines but keeps all comments
+# at the top. It also adds a note at the beginning as a reminder
+# that the output has been sorted.
+
+if [ "$TMP" == "" ]; then
+    TMP=/tmp
+fi
+
+tmp=$TMP/$(basename $0).$$.tmp
+
+cat >$tmp
+
+echo "### NOTE: This file has been sorted with $(basename $0)."
+cat $tmp | grep ^#
+cat $tmp | grep -v ^# | sort -s
+
+rm -f $tmp
diff --git a/testing/scripts/spicy/run-zeek b/testing/scripts/spicy/run-zeek
new file mode 100755
index 0000000000..db7af1df93
--- /dev/null
+++ b/testing/scripts/spicy/run-zeek
@@ -0,0 +1,7 @@
+#! /bin/sh
+#
+# Wrapper around Zeek to set environment.
+
+base=$(cd $(dirname $0)/.. && pwd)
+
+LD_PRELOAD=${ZEEK_LD_PRELOAD} DYLD_INSERT_LIBRARIES=${ZEEK_LD_PRELOAD} ASAN_OPTIONS=detect_leaks=0:detect_odr_violation=0 zeek $@
diff --git a/testing/scripts/spicy/spicy-version b/testing/scripts/spicy/spicy-version
new file mode 100755
index 0000000000..bd43ce2462
--- /dev/null
+++ b/testing/scripts/spicy/spicy-version
@@ -0,0 +1,14 @@
+#! /bin/sh
+#
+# Two usages:
+#     - Without argument, prints out the numerical Spicy version.
+#     - With a numerical Spicy version in $1, exit with true iff we have at least that version.
+
+base=${TEST_BASE-$(cd $(dirname $0)/.. && pwd)}
+nversion=$(spicy-config --version-number)
+
+if [ $# = 0 ]; then
+    echo "${nversion}"
+else
+    test "${nversion}" -ge "$1"
+fi
diff --git a/testing/scripts/spicy/zeek-version b/testing/scripts/spicy/zeek-version
new file mode 100755
index 0000000000..4d1a283c5b
--- /dev/null
+++ b/testing/scripts/spicy/zeek-version
@@ -0,0 +1,20 @@
+#! /bin/sh
+#
+# Two usages:
+#     - Without argument, prints out the numerical Zeek version.
+#     - With a numerical Zeek version in $1, exit with true iff we have at least that version.
+
+base=$(cd $(dirname $0)/.. && pwd)
+
+version=$(zeek-config --version)
+major=$(echo ${version} | cut -d . -f 1)
+minor=$(echo ${version} | cut -d . -f 2)
+patch=$(echo ${version} | cut -d . -f 3)
+
+nversion=$((${major} * 10000 + ${minor} * 100 + ${patch}))
+
+if [ $# = 0 ]; then
+    echo "${nversion}"
+else
+    test "${nversion}" -ge "$1"
+fi
diff --git a/zeek-config-paths.h.in b/zeek-config-paths.h.in
new file mode 100644
index 0000000000..be135e8b93
--- /dev/null
+++ b/zeek-config-paths.h.in
@@ -0,0 +1,11 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#define ZEEK_SCRIPT_INSTALL_PATH "@ZEEK_SCRIPT_INSTALL_PATH@"
+#define BRO_PLUGIN_INSTALL_PATH "@ZEEK_PLUGIN_DIR@"
+#define ZEEK_PLUGIN_INSTALL_PATH "@ZEEK_PLUGIN_DIR@"
+#define DEFAULT_ZEEKPATH "@DEFAULT_ZEEKPATH@"
+#define ZEEK_SPICY_MODULE_PATH "@ZEEK_SPICY_MODULE_PATH@"
+#define ZEEK_SPICY_LIBRARY_PATH "@ZEEK_SPICY_LIBRARY_PATH@"
+#define ZEEK_SPICY_DATA_PATH "@ZEEK_SPICY_DATA_PATH@"
diff --git a/zeek-config.h.in b/zeek-config.h.in
index a681e5fa5d..7f9fe60a0c 100644
--- a/zeek-config.h.in
+++ b/zeek-config.h.in
@@ -1,3 +1,5 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
 #pragma once
 
 /* Old libpcap versions (< 0.6.1) need defining pcap_freecode and
@@ -248,19 +250,10 @@
 /* String with extension of dynamic libraries (e.g., ".so") */
 #define DYNAMIC_PLUGIN_SUFFIX "@CMAKE_SHARED_MODULE_SUFFIX@"
 
-/* Set if we're building outside of the main Zeek source code tree. */
-#ifndef ZEEK_PLUGIN_INTERNAL_BUILD
-#define ZEEK_PLUGIN_INTERNAL_BUILD true
-#else
-// Backwards compat for external plugins, include the version
-// identifiers through zeek/zeek-version.h.
-#if ! ZEEK_PLUGIN_INTERNAL_BUILD
+// For builtin plugins, we don't want to include zeek-version.h.
+#ifndef ZEEK_CONFIG_SKIP_VERSION_H
 #include "zeek/zeek-version.h"
 #endif
-//
-// Not sure we can ever deprecate this without changing
-// the names.
-#endif
 
 // GCC uses __SANITIZE_ADDRESS__, Clang uses __has_feature
 #if defined(__SANITIZE_ADDRESS__)
@@ -307,3 +300,6 @@
 #else
 	#define ZEEK_DISABLE_TSAN
 #endif
+
+/* compiled with Spicy support */
+#cmakedefine HAVE_SPICY
diff --git a/zeek-config.in b/zeek-config.in
index 98396dc989..0940f6fe09 100755
--- a/zeek-config.in
+++ b/zeek-config.in
@@ -1,22 +1,22 @@
 #!/bin/sh
 
-binpac_root=@ZEEK_CONFIG_BINPAC_ROOT_DIR@
-broker_root=@ZEEK_CONFIG_BROKER_ROOT_DIR@
-btest_tools_dir=@ZEEK_CONFIG_BTEST_TOOLS_DIR@
-build_type=@CMAKE_BUILD_TYPE_LOWER@
-cmake_dir=@ZEEK_CMAKE_CONFIG_DIR@
-config_dir=@ZEEK_ETC_INSTALL_DIR@
-have_spicy=@USE_SPICY_ANALYZERS@
-include_dir=@CMAKE_INSTALL_PREFIX@/include
-lib_dir=@CMAKE_INSTALL_FULL_LIBDIR@
-plugin_dir=@ZEEK_PLUGIN_DIR@
-prefix=@CMAKE_INSTALL_PREFIX@
-python_dir=@PY_MOD_INSTALL_DIR@
-script_dir=@ZEEK_SCRIPT_INSTALL_PATH@
-site_dir=@ZEEK_SCRIPT_INSTALL_PATH@/site
-version=@VERSION@
-zeek_dist=@ZEEK_DIST@
-zeekpath=@DEFAULT_ZEEKPATH@
+binpac_root="@ZEEK_CONFIG_BINPAC_ROOT_DIR@"
+broker_root="@ZEEK_CONFIG_BROKER_ROOT_DIR@"
+btest_tools_dir="@ZEEK_CONFIG_BTEST_TOOLS_DIR@"
+build_type="@CMAKE_BUILD_TYPE_LOWER@"
+cmake_dir="@ZEEK_CMAKE_CONFIG_DIR@"
+config_dir="@ZEEK_ETC_INSTALL_DIR@"
+have_spicy="@USE_SPICY_ANALYZERS@"
+include_dir="@CMAKE_INSTALL_PREFIX@/include"
+lib_dir="@CMAKE_INSTALL_FULL_LIBDIR@"
+plugin_dir="@ZEEK_PLUGIN_DIR@"
+prefix="@CMAKE_INSTALL_PREFIX@"
+python_dir="@PY_MOD_INSTALL_DIR@"
+script_dir="@ZEEK_SCRIPT_INSTALL_PATH@"
+site_dir="@ZEEK_SCRIPT_INSTALL_PATH@/site"
+version="@VERSION@"
+zeek_dist="@ZEEK_DIST@"
+zeekpath="@DEFAULT_ZEEKPATH@"
 
 add_path() {
     # $1: existing path
@@ -32,6 +32,7 @@ add_path() {
     echo "$1:$2"
 }
 
+# When changing any of these, also update "src/spicy/spicyz/config.h.in".
 include_dir=$(add_path "$include_dir" "@ZEEK_CONFIG_PCAP_INCLUDE_DIR@")
 include_dir=$(add_path "$include_dir" "@ZEEK_CONFIG_ZLIB_INCLUDE_DIR@")
 include_dir=$(add_path "$include_dir" "@ZEEK_CONFIG_OPENSSL_INCLUDE_DIR@")
diff --git a/zeek-path-dev.bat.in b/zeek-path-dev.bat.in
new file mode 100644
index 0000000000..8602245e2a
--- /dev/null
+++ b/zeek-path-dev.bat.in
@@ -0,0 +1,8 @@
+:: Sets up the basic environment needed to run Zeek from a Windows command prompt (not bash!).
+:: This is needed in order to run unit tests on Cirrus.
+::
+:: The ZEEKPATH line here should be kept in sync with the zeek-path-dev.in file.
+::
+
+@set ZEEKPATH=.;${cmake_source_dir}/scripts;${cmake_source_dir}/scripts/policy;${cmake_source_dir}/scripts/site;${cmake_binary_dir}/scripts;${cmake_binary_dir}/scripts/builtin-plugins
+@set ZEEK_PLUGIN_PATH=${cmake_binary_dir}/src}
diff --git a/zeek-path-dev.in b/zeek-path-dev.in
index 0c5fa4fbd2..e80b2222d2 100755
--- a/zeek-path-dev.in
+++ b/zeek-path-dev.in
@@ -9,5 +9,6 @@
 #
 #     ZEEKPATH=`./zeek-path-dev` ./src/zeek
 #
+# This file should be kept in sync with the ZEEKPATH line in zeek-path-dev.bat.in.
 
 echo .:${cmake_source_dir}/scripts:${cmake_source_dir}/scripts/policy:${cmake_source_dir}/scripts/site:${cmake_binary_dir}/scripts:${cmake_binary_dir}/scripts/builtin-plugins
diff --git a/zeek-version.h.in b/zeek-version.h.in
index 30b0c914ba..f09f9ce5a7 100644
--- a/zeek-version.h.in
+++ b/zeek-version.h.in
@@ -1,3 +1,5 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
 #pragma once
 
 /* Version number of package */