Checkpointing the merge. Not done yet.

Merge remote-tracking branch 'origin/topic/tunnels' into topic/robin/tunnels-merge

* origin/topic/tunnels: (41 commits)
  Extend weird names that occur in core packet processing during decapsulation.
  Add Teredo analysis option to reduce false positive decapsulation.
  Just some cleanup/documentation of new tunnel-handling code.
  Memory leak fixes
  Add a config.h definition for IPPROTO_IPV4.
  Add AYIYA tunnel decapsulation unit test.
  Add Teredo-specific events.
  Refactor some of the NetSessions routines that recurse on IP packets.
  Add independent options to toggle the different decapsulation methods
  Add more sanity checks before recursing on encapsulated IP packets.
  Suppress Teredo weirds unless decapsulation was successful once before.
  Tunnel support performance optimization.
  Add Teredo tunnel decapsulation.
  Fix for IP tunnel UID persistence.
  Fix AYIYA analyzer tag.
  Add summary documentation to tunnels/main.bro.
  Make tunnels always identifiable by UID, tunnel.log now gets populated.
  Some improvements to the AYIYA analyzer.
  Remove Tunnel::decapsulate_ip option.
  Remove invalid IP-in-IP encapsulated protocol value.
  ...

NEWS

@@ -60,6 +60,10 @@ Bro 2.1
   signature_files constant, this can be used to load signatures
   relative to the current script (e.g., "@load-sigs ./foo.sig").
 
+- The options encap_hdr_size and tunnel_port have been removed. Bro
+  now supports decapsulating tunnels directly for protocols it
+  understands.
+
 TODO: Extend.
 
 Bro 2.0

cmake

@@ -1 +1 @@
-Subproject commit 96f3d92acadbe1ae64f410e974c5ff503903394b
+Subproject commit 2a72c5e08e018cf632033af3920432d5f684e130

config.h.in

@@ -165,6 +165,10 @@
 #ifndef HAVE_IPPROTO_IPV6
 #define IPPROTO_IPV6 41
 #endif
+#cmakedefine HAVE_IPPROTO_IPV4
+#ifndef HAVE_IPPROTO_IPV4
+#define IPPROTO_IPV4 4
+#endif
 #cmakedefine HAVE_IPPROTO_ROUTING
 #ifndef HAVE_IPPROTO_ROUTING
 #define IPPROTO_ROUTING 43

doc/scripts/DocSourcesList.cmake

@@ -59,6 +59,7 @@ rest_target(${psd} base/frameworks/packet-filter/netstats.bro)
 rest_target(${psd} base/frameworks/reporter/main.bro)
 rest_target(${psd} base/frameworks/signatures/main.bro)
 rest_target(${psd} base/frameworks/software/main.bro)
+rest_target(${psd} base/frameworks/tunnels/main.bro)
 rest_target(${psd} base/protocols/conn/contents.bro)
 rest_target(${psd} base/protocols/conn/inactivity.bro)
 rest_target(${psd} base/protocols/conn/main.bro)
@@ -77,6 +78,7 @@ rest_target(${psd} base/protocols/irc/main.bro)
 rest_target(${psd} base/protocols/smtp/entities-excerpt.bro)
 rest_target(${psd} base/protocols/smtp/entities.bro)
 rest_target(${psd} base/protocols/smtp/main.bro)
+rest_target(${psd} base/protocols/socks/main.bro)
 rest_target(${psd} base/protocols/ssh/main.bro)
 rest_target(${psd} base/protocols/ssl/consts.bro)
 rest_target(${psd} base/protocols/ssl/main.bro)

scripts/base/frameworks/dpd/dpd.sig

@@ -149,3 +149,46 @@ signature dpd_ssl_client {
   payload /^(\x16\x03[\x00\x01\x02]..\x01...\x03[\x00\x01\x02]|...?\x01[\x00\x01\x02][\x02\x03]).*/
   tcp-state originator
 }
+
+signature dpd_ayiya {
+  ip-proto = udp
+  payload /^..\x11\x29/
+  enable "ayiya"
+}
+
+signature dpd_teredo {
+  ip-proto = udp
+  payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f])/
+  enable "teredo"
+}
+
+signature dpd_socks_client {
+	ip-proto == tcp
+	# '32' is a rather arbitrary max length for the user name.
+	payload /^\x04[\x01\x02].{0,32}\x00/
+	tcp-state originator
+}
+
+signature dpd_socks_server {
+	ip-proto == tcp
+	requires-reverse-signature dpd_socks_client
+	payload /^\x00[\x5a\x5b\x5c\x5d]/
+	tcp-state responder
+	enable "socks"
+}
+
+signature dpd_socks_reverse_client {
+	ip-proto == tcp
+	# '32' is a rather arbitrary max length for the user name.
+	payload /^\x04[\x01\x02].{0,32}\x00/
+	tcp-state responder
+}
+
+signature dpd_socks_reverse_server {
+	ip-proto == tcp
+	requires-reverse-signature dpd_socks_client
+	payload /^\x00[\x5a\x5b\x5c\x5d]/
+	tcp-state originator
+	enable "socks"
+}
+

scripts/base/frameworks/tunnels/__load__.bro

@@ -0,0 +1 @@
+@load ./main

scripts/base/frameworks/tunnels/main.bro

@@ -0,0 +1,151 @@
+##! This script handles the tracking/logging of tunnels (e.g. Teredo,
+##! AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
+##!
+##! For any connection that occurs over a tunnel, information about its
+##! encapsulating tunnels is also found in the *tunnel* field of
+##! :bro:type:`connection`.
+
+module Tunnel;
+
+export {
+	## The tunnel logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## Types of interesting activity that can occur with a tunnel.
+	type Action: enum {
+		## A new tunnel (encapsulating "connection") has been seen.
+		DISCOVER,
+		## A tunnel connection has closed.
+		CLOSE,
+		## No new connections over a tunnel happened in the past day.
+                ## TODO-Jon: Where is the "past day" coming from? Should be an
+                ## option.
+		EXPIRE,
+	};
+
+	## The record type which contains column fields of the tunnel log.
+	type Info: record {
+		## Time at which some tunnel activity occurred.
+		ts:          time         &log;
+		## The unique identifier for the tunnel, which may correspond
+		## to a :bro:type:`connection`'s *uid* field for non-IP-in-IP tunnels.
+		uid:         string       &log;
+		## The tunnel "connection" 4-tuple of endpoint addresses/ports.
+		## For an IP tunnel, the ports will be 0.
+		id:          conn_id      &log;
+		## The type of activity that occurred.
+		action:      Action       &log;
+		## The type of tunnel.
+		tunnel_type: Tunnel::Type &log;
+	};
+
+	## Logs all tunnels in an ecapsulation chain with action
+	## :bro:see:`Tunnel::DISCOVER` that aren't already in the
+	## :bro:id:`Tunnel::active` table and adds them if not.
+	global register_all: function(ecv: EncapsulatingConnVector);
+
+	## Logs a single tunnel "connection" with action
+	## :bro:see:`Tunnel::DISCOVER` if it's not already in the
+	## :bro:id:`Tunnel::active` table and adds it if not.
+	global register: function(ec: EncapsulatingConn);
+
+	## Logs a single tunnel "connection" with action
+	## :bro:see:`Tunnel::EXPIRE` and removes it from the
+	## :bro:id:`Tunnel::active` table.
+	##
+	## t: A table of tunnels.
+	##
+	## idx: The index of the tunnel table corresponding to the tunnel to expire.
+	##
+	## Returns: 0secs, which when this function is used as an
+	##          :bro:attr:`&expire_func`, indicates to remove the element at
+	##          *idx* immediately.
+	global expire: function(t: table[conn_id] of Info, idx: conn_id): interval;
+
+	## Removes a single tunnel from the :bro:id:`Tunnel::active` table
+	## and logs the closing/expiration of the tunnel.
+	##
+	## tunnel: The tunnel which has closed or expired.
+	##
+	## action: The specific reason for the tunnel ending.
+	global close: function(tunnel: Info, action: Action);
+
+	## Currently active tunnels.  That is, tunnels for which new, encapsulated
+	## connections have been seen in the last day.
+        ## TODO-Jon: Do we we need the &synchronized here?
+	global active: table[conn_id] of Info = table() &synchronized &read_expire=24hrs &expire_func=expire;
+}
+
+const ayiya_ports = { 5072/udp };
+redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
+
+const teredo_ports = { 3544/udp };
+redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };
+
+redef likely_server_ports += { ayiya_ports, teredo_ports };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Tunnel::LOG, [$columns=Info]);
+	}
+
+function register_all(ecv: EncapsulatingConnVector)
+	{
+	for ( i in ecv )
+		register(ecv[i]);
+	}
+
+function register(ec: EncapsulatingConn)
+	{
+	if ( ec$cid !in active )
+		{
+		local tunnel: Info;
+		tunnel$ts = network_time();
+		tunnel$uid = ec$uid;
+		tunnel$id = ec$cid;
+		tunnel$action = DISCOVER;
+		tunnel$tunnel_type = ec$tunnel_type;
+		active[ec$cid] = tunnel;
+		Log::write(LOG, tunnel);
+		}
+	}
+
+function close(tunnel: Info, action: Action)
+	{
+	tunnel$action = action;
+	tunnel$ts = network_time();
+	Log::write(LOG, tunnel);
+	delete active[tunnel$id];
+	}
+
+function expire(t: table[conn_id] of Info, idx: conn_id): interval
+	{
+	close(t[idx], EXPIRE);
+	return 0secs;
+	}
+
+event new_connection(c: connection) &priority=5
+	{
+	if ( c?$tunnel )
+		register_all(c$tunnel);
+	}
+
+event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
+	{
+	## TODO-Jon: Not sure I understand this. Shouldn't c$tunnel already be
+        ## registered? And what if a layer goes way, does that need to be
+        ## removed here? Or is that done separately?
+        ## 
+        ## Also, conn/main.bro has a tunnel_changed handler at the same
+        ## priority that *sets* c$tunnel.  That's seems undefine behaviour. 
+	if ( c?$tunnel )
+		register_all(c$tunnel);
+
+	register_all(e);
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c$id in active )
+		close(active[c$id], CLOSE);
+	}

scripts/base/init-bare.bro

@@ -178,6 +178,32 @@ type endpoint_stats: record {
 ##    use ``count``. That should be changed.
 type AnalyzerID: count;
 
+module Tunnel;
+export {
+	## Records the identity of an encapsulating parent of a tunneled connection.
+	type EncapsulatingConn: record {
+		## The 4-tuple of the encapsulating "connection". In case of an IP-in-IP
+		## tunnel the ports will be set to 0. The direction (i.e., orig and
+		## resp) are set according to the first tunneled packet seen
+		## and not according to the side that established the tunnel. 
+		cid: conn_id;
+		## The type of tunnel.
+		tunnel_type: Tunnel::Type;
+		## A globally unique identifier that, for non-IP-in-IP tunnels,
+		## cross-references the *uid* field of :bro:type:`connection`.
+		uid: string;
+	} &log;
+} # end export
+module GLOBAL;
+
+## A type alias for a vector of encapsulating "connections", i.e for when
+## there are tunnels within tunnels.
+##
+## .. todo:: We need this type definition only for declaring builtin functions
+##    via ``bifcl``. We should extend ``bifcl`` to understand composite types
+##    directly and then remove this alias.
+type EncapsulatingConnVector: vector of Tunnel::EncapsulatingConn;
+
 ## Statistics about a :bro:type:`connection` endpoint.
 ##
 ## .. bro:see:: connection
@@ -199,10 +225,10 @@ type endpoint: record {
 	flow_label: count;
 };
 
-# A connection. This is Bro's basic connection type describing IP- and
+## A connection. This is Bro's basic connection type describing IP- and
-# transport-layer information about the conversation. Note that Bro uses a
+## transport-layer information about the conversation. Note that Bro uses a
-# liberal interpreation of "connection" and associates instances of this type
+## liberal interpreation of "connection" and associates instances of this type
-# also with UDP and ICMP flows.
+## also with UDP and ICMP flows.
 type connection: record {
 	id: conn_id;	##< The connection's identifying 4-tuple.
 	orig: endpoint;	##< Statistics about originator side.
@@ -227,6 +253,12 @@ type connection: record {
 	## that is very likely unique across independent Bro runs. These IDs can thus be
 	## used to tag and locate information  associated with that connection.
 	uid: string;
+	## If the connection is tunneled, this field contains information about
+	## the encapsulating "connection(s)" with the outermost one starting
+	## at index zero.  It's also always the first such enapsulation seen
+	## for the connection unless the :bro:id:`tunnel_changed` event is handled
+	## and re-assigns this field to the new encapsulation.
+	tunnel: EncapsulatingConnVector &optional;
 };
 
 ## Fields of a SYN packet.
@@ -883,19 +915,6 @@ const frag_timeout = 0.0 sec &redef;
 ##    to be potentially copied and buffered.
 const packet_sort_window = 0 usecs &redef;
 
-## If positive, indicates the encapsulation header size that should
-## be skipped. This either applies to all packets, or if
-## :bro:see:`tunnel_port` is set, only to packets on that port.
-##
-## .. :bro:see:: tunnel_port
-const encap_hdr_size = 0 &redef;
-
-## A UDP port that specifies which connections to apply :bro:see:`encap_hdr_size`
-## to.
-##
-## .. :bro:see:: encap_hdr_size
-const tunnel_port = 0/udp &redef;
-
 ## Whether to use the ``ConnSize`` analyzer to count the number of packets and
 ## IP-level bytes transfered by each endpoint. If true, these values are returned
 ## in the connection's :bro:see:`endpoint`  record value.
@@ -1250,7 +1269,7 @@ type ip6_ext_hdr: record {
 	mobility: ip6_mobility_hdr &optional;
 };
 
-## A type alias for a vector of IPv6 extension headers
+## A type alias for a vector of IPv6 extension headers.
 type ip6_ext_hdr_chain: vector of ip6_ext_hdr;
 
 ## Values extracted from an IPv6 header.
@@ -1336,6 +1355,42 @@ type pkt_hdr: record {
 	icmp: icmp_hdr &optional;		##< The ICMP header if an ICMP packet.
 };
 
+## A Teredo origin indication header.  See :rfc:`4380` for more information
+## about the Teredo protocol.
+##
+## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication
+##    teredo_hdr
+type teredo_auth: record {
+	id:      string;  ##< Teredo client identifier.
+	value:   string;  ##< HMAC-SHA1 over shared secret key between client and
+	                  ##< server, nonce, confirmation byte, origin indication
+	                  ##< (if present), and the IPv6 packet.
+	nonce:   count;   ##< Nonce chosen by Teredo client to be repeated by
+	                  ##< Teredo server.
+	confirm: count;   ##< Confirmation byte to be set to 0 by Teredo client
+	                  ##< and non-zero by server if client needs new key.
+};
+
+## A Teredo authentication header.  See :rfc:`4380` for more information
+## about the Teredo protocol.
+##
+## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication
+##    teredo_hdr
+type teredo_origin: record {
+	p: port; ##< Unobfuscated UDP port of Teredo client.
+	a: addr; ##< Unobfuscated IPv4 address of Teredo client.
+};
+
+## A Teredo packet header.  See :rfc:`4380` for more information about the
+## Teredo protocol.
+##
+## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication
+type teredo_hdr: record {
+	auth:   teredo_auth &optional;   ##< Teredo authentication header.
+	origin: teredo_origin &optional; ##< Teredo origin indication header.
+	hdr:    pkt_hdr;                 ##< IPv6 and transport protocol headers.
+};
+
 ## Definition of "secondary filters". A secondary filter is a BPF filter given as
 ## index in this table. For each such filter, the corresponding event is raised for
 ## all matching packets.
@@ -2636,11 +2691,30 @@ const record_all_packets = F &redef;
 ## .. bro:see:: conn_stats
 const ignore_keep_alive_rexmit = F &redef;
 
-## Whether the analysis engine parses IP packets encapsulated in
+module Tunnel;
-## UDP tunnels.
+export {
-##
+	## The maximum depth of a tunnel to decapsulate until giving up.
-## .. bro:see:: tunnel_port
+	## Setting this to zero will disable all types of tunnel decapsulation.
-const parse_udp_tunnels = F &redef;
+	const max_depth: count = 2 &redef;
+
+	## Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.
+	const enable_ip = T &redef;
+
+	## Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.
+	const enable_ayiya = T &redef;
+
+	## Toggle whether to do IPv6-in-Teredo decapsulation.
+	const enable_teredo = T &redef;
+
+	## With this option set, the Teredo analysis will first check to see if
+	## other protocol analyzers have confirmed that they think they're
+	## parsing the right protocol and only continue with Teredo tunnel
+	## decapsulation if nothing else has yet confirmed.  This can help
+	## reduce false positives of UDP traffic (e.g. DNS) that also happens
+	## to have a valid Teredo encapsulation.
+	const yielding_teredo_decapsulation = T &redef;
+} # end export
+module GLOBAL;
 
 ## Number of bytes per packet to capture from live interfaces.
 const snaplen = 8192 &redef;

scripts/base/init-default.bro

@@ -29,6 +29,7 @@
 @load base/frameworks/metrics
 @load base/frameworks/intel
 @load base/frameworks/reporter
+@load base/frameworks/tunnels
 
 @load base/protocols/conn
 @load base/protocols/dns
@@ -36,6 +37,7 @@
 @load base/protocols/http
 @load base/protocols/irc
 @load base/protocols/smtp
+@load base/protocols/socks
 @load base/protocols/ssh
 @load base/protocols/ssl
 @load base/protocols/syslog

scripts/base/protocols/conn/main.bro

@@ -101,6 +101,10 @@ export {
 		resp_pkts:     count      &log &optional;
 		## Number IP level bytes the responder sent. See ``orig_pkts``.
 		resp_ip_bytes: count      &log &optional;
+		## If this connection was over a tunnel, indicate the 
+		## *uid* values for any encapsulating parent connections
+		## used over the lifetime of this inner connection.
+		parents:        set[string] &log;
 	};
 
 	## Event that can be handled to access the :bro:type:`Conn::Info`
@@ -190,6 +194,8 @@ function set_conn(c: connection, eoc: bool)
 	c$conn$ts=c$start_time;
 	c$conn$uid=c$uid;
 	c$conn$id=c$id;
+	if ( c?$tunnel && |c$tunnel| > 0 )
+		add c$conn$parents[c$tunnel[|c$tunnel|-1]$uid];
 	c$conn$proto=get_port_transport_proto(c$id$resp_p);
 	if( |Site::local_nets| > 0 )
 		c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
@@ -227,6 +233,14 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) &prio
 	
 	c$conn$missed_bytes = c$conn$missed_bytes + length;
 	}
+
+event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
+	{
+	set_conn(c, F);
+	if ( |e| > 0 )
+		add c$conn$parents[e[|e|-1]$uid];
+	c$tunnel = e;
+	}
 	
 event connection_state_remove(c: connection) &priority=5
 	{

scripts/base/protocols/socks/__load__.bro

@@ -0,0 +1 @@
+@load ./main

scripts/base/protocols/socks/main.bro

@@ -0,0 +1,116 @@
+@load base/frameworks/tunnels
+
+module SOCKS;
+
+export {
+	type RequestType: enum {
+		CONNECTION = 1,
+		PORT       = 2,
+	};
+}
+
+event socks_request(c: connection, request_type: count, dstaddr: addr, dstname: string, p: port, user: string)
+	{
+	Tunnel::register([$cid=c$id, $tunnel_type=Tunnel::SOCKS, $uid=c$uid]);
+	}
+
+#
+#global output = open_log_file("socks");
+#
+#type socks_conn: record {
+#	id: conn_id;
+#	t: time;
+#	req: socks_request_type &optional;
+#	dstaddr: addr &optional;
+#	dstname: string &optional;
+#	p: port &optional;
+#	user: string &optional;
+#	service: string &optional;
+#	variant: string &default = "SOCKS v4";
+#	granted: string &default = "no-reply";
+#};
+#
+#
+#global conns: table[conn_id] of socks_conn;
+#global proxies: set[addr] &read_expire = 24hrs;
+#
+#event socks_request(c: connection, t: socks_request_type, dstaddr: addr, dstname: string, p: port, user: string)
+#	{
+#	local id = c$id;
+#
+#	local sc: socks_conn;
+#	sc$id = id;
+#	sc$t = c$start_time;
+#	sc$req = t;
+#	
+#	if ( dstaddr != 0.0.0.0 )
+#		sc$dstaddr = dstaddr;
+#	
+#	if ( dstname != "" )
+#		sc$dstname = dstname;
+#	
+#	if ( p != 0/tcp )
+#		sc$p = p;
+#	
+#	if ( user != "" )
+#		sc$user = user;
+#	
+#	conns[id] = sc;
+#	}
+#
+#event socks_reply(c: connection, granted: bool, dst: addr, p: port)
+#	{
+#	local id = c$id;
+#	local sc: socks_conn;
+#	
+#	if ( id in conns )
+#		sc = conns[id];
+#	else
+#		{
+#		sc$id = id;
+#		sc$t = c$start_time;
+#		conns[id] = sc;
+#		}
+#
+#	sc$granted = granted ? "ok" : "denied";
+#	
+#	local proxy = c$id$resp_h;
+#	
+#	if ( proxy !in proxies )
+#		{
+#		NOTICE([$note=SOCKSProxy, $src=proxy, $sub=sc$variant,
+#				   $msg=fmt("SOCKS proxy seen at %s (%s)", proxy, sc$variant)]);
+#		add proxies[proxy];
+#		}
+#	}
+#
+#function print_conn(sc: socks_conn)
+#	{
+#	local req = "<unknown-type>";
+#	if ( sc?$req )
+#		{
+#		if ( sc$req == SOCKS_CONNECTION )
+#			req = "relay-to";
+#		if ( sc$req == SOCKS_PORT )
+#			req = "bind-port";
+#		}
+#	
+#	local p = sc?$p ? fmt("%s", sc$p) : "<no-port>";
+#	
+#	local dest = sc?$dstaddr 
+#		? (fmt("%s:%s%s", sc$dstaddr, p, (sc?$dstname ? fmt(" (%s)", sc$dstname) : "")))
+#		: (sc?$dstname ? fmt("%s:%s", sc$dstname, p) : "<no-dest>");
+#	local user = sc?$user ? fmt(" (user %s)", sc?$user) : "";
+#	
+#	local service = sc?$service ? fmt(" [%s]", sc$service) : "";
+#	
+#	print output, fmt("%.6f %s %s %s %s-> %s%s", sc$t, id_string(sc$id), req, 
+#			dest, user, sc$granted, service);
+#	}
+#
+#event connection_state_remove(c: connection)
+#	{
+#	if ( c$id in conns )
+#		print_conn(conns[c$id]);
+#	}
+#

src/AYIYA.cc

@@ -0,0 +1,24 @@
+#include "AYIYA.h"
+
+AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn)
+: Analyzer(AnalyzerTag::AYIYA, conn)
+	{
+	interp = new binpac::AYIYA::AYIYA_Conn(this);
+	}
+
+AYIYA_Analyzer::~AYIYA_Analyzer()
+	{
+	delete interp;
+	}
+
+void AYIYA_Analyzer::Done()
+	{
+	Analyzer::Done();
+	Event(udp_session_done);
+	}
+
+void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	interp->NewData(orig, data, data + len);
+	}

src/AYIYA.h

@@ -0,0 +1,29 @@
+#ifndef AYIYA_h
+#define AYIYA_h
+
+#include "ayiya_pac.h"
+
+class AYIYA_Analyzer : public Analyzer {
+public:
+	AYIYA_Analyzer(Connection* conn);
+	virtual ~AYIYA_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new AYIYA_Analyzer(conn); }
+
+	static bool Available()
+		{ return BifConst::Tunnel::enable_ayiya &&
+		         BifConst::Tunnel::max_depth > 0; }
+
+protected:
+	friend class AnalyzerTimer;
+	void ExpireTimer(double t);
+
+	binpac::AYIYA::AYIYA_Conn* interp;
+};
+
+#endif

src/Analyzer.cc

@@ -4,6 +4,7 @@
 #include "PIA.h"
 #include "Event.h"
 
+#include "AYIYA.h"
 #include "BackDoor.h"
 #include "BitTorrent.h"
 #include "BitTorrentTracker.h"
@@ -33,9 +34,11 @@
 #include "NFS.h"
 #include "Portmap.h"
 #include "POP3.h"
+#include "SOCKS.h"
 #include "SSH.h"
 #include "SSL.h"
 #include "Syslog-binpac.h"
+#include "Teredo.h"
 #include "ConnSizeAnalyzer.h"
 
 // Keep same order here as in AnalyzerTag definition!
@@ -127,6 +130,16 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 		Syslog_Analyzer_binpac::InstantiateAnalyzer,
 		Syslog_Analyzer_binpac::Available, 0, false },
 
+	{ AnalyzerTag::AYIYA, "AYIYA",
+		AYIYA_Analyzer::InstantiateAnalyzer,
+		AYIYA_Analyzer::Available, 0, false },
+	{ AnalyzerTag::SOCKS, "SOCKS",
+		SOCKS_Analyzer::InstantiateAnalyzer,
+		SOCKS_Analyzer::Available, 0, false },
+	{ AnalyzerTag::Teredo, "TEREDO",
+		Teredo_Analyzer::InstantiateAnalyzer,
+		Teredo_Analyzer::Available, 0, false },
+
 	{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
 		File_Analyzer::Available, 0, false },
 	{ AnalyzerTag::Backdoor, "BACKDOOR",

src/Analyzer.h

@@ -215,6 +215,13 @@ public:
 	// analyzer, even if the method is called multiple times.
 	virtual void ProtocolConfirmation();
 
+	// Return whether the analyzer previously called ProtocolConfirmation()
+	// at least once before.
+	//
+	// TODO-Jon: Why virtual?
+	virtual bool ProtocolConfirmed() const
+		{ return protocol_confirmed; }
+
 	// Report that we found a significant protocol violation which might
 	// indicate that the analyzed data is in fact not the expected
 	// protocol.  The protocol_violation event is raised once per call to
@@ -338,6 +345,10 @@ private:
 	for ( analyzer_list::iterator var = the_kids.begin(); \
 	      var != the_kids.end(); var++ )
 
+#define LOOP_OVER_GIVEN_CONST_CHILDREN(var, the_kids) \
+	for ( analyzer_list::const_iterator var = the_kids.begin(); \
+	      var != the_kids.end(); var++ )
+
 class SupportAnalyzer : public Analyzer {
 public:
 	SupportAnalyzer(AnalyzerTag::Tag tag, Connection* conn, bool arg_orig)

src/AnalyzerTags.h

@@ -33,11 +33,15 @@ namespace AnalyzerTag {
 		DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC,
 		HTTP_BINPAC, SSL, SYSLOG_BINPAC,
 
+		// Decapsulation analyzers.
+		AYIYA,
+		SOCKS,
+		Teredo,
+
 		// Other
 		File, Backdoor, InterConn, SteppingStone, TCPStats,
 		ConnSize,
 
-
 		// Support-analyzers
 		Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP,
 		Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh,

src/CMakeLists.txt

@@ -187,6 +187,9 @@ endmacro(BINPAC_TARGET)
 
 binpac_target(binpac-lib.pac)
 binpac_target(binpac_bro-lib.pac)
+
+binpac_target(ayiya.pac
+    ayiya-protocol.pac ayiya-analyzer.pac)
 binpac_target(bittorrent.pac
     bittorrent-protocol.pac bittorrent-analyzer.pac)
 binpac_target(dce_rpc.pac
@@ -206,6 +209,8 @@ binpac_target(netflow.pac
     netflow-protocol.pac netflow-analyzer.pac)
 binpac_target(smb.pac
     smb-protocol.pac smb-pipe.pac smb-mailslot.pac)
+binpac_target(socks.pac
+    socks-protocol.pac socks-analyzer.pac)
 binpac_target(ssl.pac
     ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac)
 binpac_target(syslog.pac
@@ -277,6 +282,7 @@ set(bro_SRCS
     Anon.cc
     ARP.cc
     Attr.cc
+    AYIYA.cc
     BackDoor.cc
     Base64.cc
     BitTorrent.cc
@@ -375,6 +381,7 @@ set(bro_SRCS
     SmithWaterman.cc
     SMB.cc
     SMTP.cc
+    SOCKS.cc
     SSH.cc
     SSL.cc
     Scope.cc
@@ -391,9 +398,11 @@ set(bro_SRCS
     TCP_Endpoint.cc
     TCP_Reassembler.cc
     Telnet.cc
+    Teredo.cc
     Timer.cc
     Traverse.cc
     Trigger.cc
+    TunnelEncapsulation.cc
     Type.cc
     UDP.cc
     Val.cc

src/Conn.cc

@@ -13,6 +13,7 @@
 #include "Timer.h"
 #include "PIA.h"
 #include "binpac.h"
+#include "TunnelEncapsulation.h"
 
 void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer,
 				int arg_do_expire)
@@ -112,7 +113,7 @@ unsigned int Connection::external_connections = 0;
 IMPLEMENT_SERIAL(Connection, SER_CONNECTION);
 
 Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
-                       uint32 flow)
+                       uint32 flow, const Encapsulation* arg_encap)
 	{
 	sessions = s;
 	key = k;
@@ -160,6 +161,11 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
 
 	uid = 0; // Will set later.
 
+	if ( arg_encap )
+		encapsulation = new Encapsulation(arg_encap);
+	else
+		encapsulation = 0;
+
 	if ( conn_timer_mgr )
 		{
 		++external_connections;
@@ -187,12 +193,34 @@ Connection::~Connection()
 	delete key;
 	delete root_analyzer;
 	delete conn_timer_mgr;
+	delete encapsulation;
 
 	--current_connections;
 	if ( conn_timer_mgr )
 		--external_connections;
 	}
 
+void Connection::CheckEncapsulation(const Encapsulation* arg_encap)
+	{
+	if ( encapsulation && arg_encap )
+		{
+		if ( *encapsulation != *arg_encap )
+			Event(tunnel_changed, 0, arg_encap->GetVectorVal());
+		}
+
+	else if ( encapsulation )
+		{
+		Encapsulation empty;
+		Event(tunnel_changed, 0, empty.GetVectorVal());
+		}
+
+	else if ( arg_encap )
+		Event(tunnel_changed, 0, arg_encap->GetVectorVal());
+
+	delete encapsulation;
+	encapsulation = new Encapsulation(arg_encap);
+	}
+
 void Connection::Done()
 	{
 	finished = 1;
@@ -349,6 +377,9 @@ RecordVal* Connection::BuildConnVal()
 
 		char tmp[20];
 		conn_val->Assign(9, new StringVal(uitoa_n(uid, tmp, sizeof(tmp), 62)));
+
+		if ( encapsulation && encapsulation->Depth() > 0 )
+			conn_val->Assign(10, encapsulation->GetVectorVal());
 		}
 
 	if ( root_analyzer )

src/Conn.h

@@ -13,6 +13,7 @@
 #include "RuleMatcher.h"
 #include "AnalyzerTags.h"
 #include "IPAddr.h"
+#include "TunnelEncapsulation.h"
 
 class Connection;
 class ConnectionTimer;
@@ -51,9 +52,16 @@ class Analyzer;
 class Connection : public BroObj {
 public:
 	Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
-	           uint32 flow);
+	           uint32 flow, const Encapsulation* arg_encap);
 	virtual ~Connection();
 
+	// Invoked when an encapsulation is discovered. It records the
+	// encapsulation with the connection and raises a "tunnel_changed"
+	// event if it's different from the previous encapsulation (or the
+	// first encountered). encap can be null to indicate no
+	// encapsulation.
+	void CheckEncapsulation(const Encapsulation* encap);
+
 	// Invoked when connection is about to be removed.  Use Ref(this)
 	// inside Done to keep the connection object around (though it'll
 	// no longer be accessible from the dictionary of active
@@ -242,6 +250,11 @@ public:
 
 	void SetUID(uint64 arg_uid)	 { uid = arg_uid; }
 
+	uint64 GetUID() const { return uid; }
+
+	const Encapsulation* GetEncapsulation() const
+		{ return encapsulation; }
+
 	void CheckFlowLabel(bool is_orig, uint32 flow_label);
 
 protected:
@@ -279,6 +292,7 @@ protected:
 	double inactivity_timeout;
 	RecordVal* conn_val;
 	LoginConn* login_conn;	// either nil, or this
+	const Encapsulation* encapsulation; // tunnels
 	int suppress_event;	// suppress certain events to once per conn.
 
 	unsigned int installed_status_timer:1;

src/NetVar.cc

@@ -30,9 +30,6 @@ int partial_connection_ok;
 int tcp_SYN_ack_ok;
 int tcp_match_undelivered;
 
-int encap_hdr_size;
-int udp_tunnel_port;
-
 double frag_timeout;
 
 double tcp_SYN_timeout;
@@ -326,10 +323,6 @@ void init_net_var()
 	tcp_SYN_ack_ok = opt_internal_int("tcp_SYN_ack_ok");
 	tcp_match_undelivered = opt_internal_int("tcp_match_undelivered");
 
-	encap_hdr_size = opt_internal_int("encap_hdr_size");
-
-	udp_tunnel_port = opt_internal_int("udp_tunnel_port") & ~UDP_PORT_MASK;
-
 	frag_timeout = opt_internal_double("frag_timeout");
 
 	tcp_SYN_timeout = opt_internal_double("tcp_SYN_timeout");

src/NetVar.h

@@ -33,9 +33,6 @@ extern int partial_connection_ok;
 extern int tcp_SYN_ack_ok;
 extern int tcp_match_undelivered;
 
-extern int encap_hdr_size;
-extern int udp_tunnel_port;
-
 extern double frag_timeout;
 
 extern double tcp_SYN_timeout;

src/SOCKS.cc

@@ -0,0 +1,79 @@
+#include "SOCKS.h"
+#include "socks_pac.h"
+#include "TCP_Reassembler.h"
+
+SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::SOCKS, conn)
+	{
+	interp = new binpac::SOCKS::SOCKS_Conn(this);
+	orig_done = resp_done = false;
+	pia = 0;
+	}
+
+SOCKS_Analyzer::~SOCKS_Analyzer()
+	{
+	delete interp;
+	}
+
+void SOCKS_Analyzer::EndpointDone(bool orig)
+	{
+	if ( orig )
+		orig_done = true;
+	else
+		resp_done = true;
+	}
+
+void SOCKS_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void SOCKS_Analyzer::EndpointEOF(TCP_Reassembler* endp)
+	{
+	TCP_ApplicationAnalyzer::EndpointEOF(endp);
+	interp->FlowEOF(endp->IsOrig());
+	}
+
+void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	assert(TCP());
+
+	if ( TCP()->IsPartial() )
+		// punt on partial.
+		return;
+
+	if ( orig_done && resp_done )
+		{
+		// Finished decapsulating tunnel layer. Now do standard processing
+		// with the rest of the conneciton.
+		//
+		// Note that we assume that no payload data arrives before both endpoints
+		// are done with there part of the SOCKS protocol.
+
+		if ( ! pia )
+			{
+			pia = new PIA_TCP(Conn());
+			AddChildAnalyzer(pia);
+			pia->FirstPacket(true, 0);
+			pia->FirstPacket(false, 0);
+			}
+
+		ForwardStream(len, data, orig);
+		}
+	else
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	}
+
+void SOCKS_Analyzer::Undelivered(int seq, int len, bool orig)
+	{
+	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	interp->NewGap(orig, len);
+	}
+

src/SOCKS.h

@@ -0,0 +1,45 @@
+#ifndef socks_h
+#define socks_h
+
+// SOCKS v4 analyzer.
+
+#include "TCP.h"
+#include "PIA.h"
+
+namespace binpac  {
+   namespace SOCKS {
+	   class SOCKS_Conn;
+   }
+}
+
+
+class SOCKS_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	SOCKS_Analyzer(Connection* conn);
+	~SOCKS_Analyzer();
+
+	void EndpointDone(bool orig);
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void EndpointEOF(TCP_Reassembler* endp);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new SOCKS_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return socks_request || socks_reply;
+		}
+
+protected:
+
+	bool orig_done;
+	bool resp_done;
+
+	PIA_TCP *pia;
+	binpac::SOCKS::SOCKS_Conn* interp;
+};
+
+#endif

src/Sessions.cc

@@ -30,6 +30,7 @@
 #include "DPM.h"
 
 #include "PacketSort.h"
+#include "TunnelEncapsulation.h"
 
 // These represent NetBIOS services on ephemeral ports.  They're numbered
 // so that we can use a single int to hold either an actual TCP/UDP server
@@ -142,16 +143,6 @@ void NetSessions::Done()
 	{
 	}
 
-namespace	// private namespace
-	{
-	bool looks_like_IPv4_packet(int len, const struct ip* ip_hdr)
-		{
-		if ( len < int(sizeof(struct ip)) )
-			return false;
-		return ip_hdr->ip_v == 4 && ntohs(ip_hdr->ip_len) == len;
-		}
-	}
-
 void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 			const u_char* pkt, int hdr_size,
 			PktSrc* src_ps, PacketSortElement* pkt_elem)
@@ -167,62 +158,6 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 			ip_data = pkt + hdr_size + (ip_hdr->ip_hl << 2);
 		}
 
-	if ( encap_hdr_size > 0 && ip_data )
-		{
-		// We're doing tunnel encapsulation.  Check whether there's
-		// a particular associated port.
-		//
-		// Should we discourage the use of encap_hdr_size for UDP
-		// tunnneling?  It is probably better handled by enabling
-		// BifConst::parse_udp_tunnels instead of specifying a fixed
-		// encap_hdr_size.
-		if ( udp_tunnel_port > 0 )
-			{
-			ASSERT(ip_hdr);
-			if ( ip_hdr->ip_p == IPPROTO_UDP )
-				{
-				const struct udphdr* udp_hdr =
-					reinterpret_cast<const struct udphdr*>
-					(ip_data);
-
-				if ( ntohs(udp_hdr->uh_dport) == udp_tunnel_port )
-					{
-					// A match.
-					hdr_size += encap_hdr_size;
-					}
-				}
-			}
-
-		else
-			// Blanket encapsulation
-			hdr_size += encap_hdr_size;
-		}
-
-	// Check IP packets encapsulated through UDP tunnels.
-	// Specifying a udp_tunnel_port is optional but recommended (to avoid
-	// the cost of checking every UDP packet).
-	else if ( BifConst::parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP )
-		{
-		const struct udphdr* udp_hdr =
-			reinterpret_cast<const struct udphdr*>(ip_data);
-
-		if ( udp_tunnel_port == 0 || // 0 matches any port
-		     udp_tunnel_port == ntohs(udp_hdr->uh_dport) )
-			{
-			const u_char* udp_data =
-				ip_data + sizeof(struct udphdr);
-			const struct ip* ip_encap =
-				reinterpret_cast<const struct ip*>(udp_data);
-			const int ip_encap_len =
-				ntohs(udp_hdr->uh_ulen) - sizeof(struct udphdr);
-			const int ip_encap_caplen =
-				hdr->caplen - (udp_data - pkt);
-
-			if ( looks_like_IPv4_packet(ip_encap_len, ip_encap) )
-				hdr_size = udp_data - pkt;
-			}
-		}
-
 	if ( src_ps->FilterType() == TYPE_FILTER_NORMAL )
 		NextPacket(t, hdr, pkt, hdr_size, pkt_elem);
 	else
@@ -251,7 +186,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr,
 		// difference here is that header extraction in
 		// PacketSort does not generate Weird events.
 
-		DoNextPacket(t, hdr, pkt_elem->IPHdr(), pkt, hdr_size);
+		DoNextPacket(t, hdr, pkt_elem->IPHdr(), pkt, hdr_size, 0);
 
 	else
 		{
@@ -276,7 +211,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr,
 		if ( ip->ip_v == 4 )
 			{
 			IP_Hdr ip_hdr(ip, false);
-			DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size);
+			DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0);
 			}
 
 		else if ( ip->ip_v == 6 )
@@ -288,7 +223,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr,
 				}
 
 			IP_Hdr ip_hdr((const struct ip6_hdr*) (pkt + hdr_size), false, caplen);
-			DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size);
+			DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0);
 			}
 
 		else if ( ARP_Analyzer::IsARP(pkt, hdr_size) )
@@ -410,7 +345,7 @@ int NetSessions::CheckConnectionTag(Connection* conn)
 
 void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 				const IP_Hdr* ip_hdr, const u_char* const pkt,
-				int hdr_size)
+				int hdr_size, const Encapsulation* encapsulation)
 	{
 	uint32 caplen = hdr->caplen - hdr_size;
 	const struct ip* ip4 = ip_hdr->IP4_Hdr();
@@ -418,7 +353,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	uint32 len = ip_hdr->TotalLen();
 	if ( hdr->len < len + hdr_size )
 		{
-		Weird("truncated_IP", hdr, pkt);
+		Weird("truncated_IP", hdr, pkt, encapsulation);
 		return;
 		}
 
@@ -430,7 +365,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	if ( ! ignore_checksums && ip4 &&
 	     ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff )
 		{
-		Weird("bad_IP_checksum", hdr, pkt);
+		Weird("bad_IP_checksum", hdr, pkt, encapsulation);
 		return;
 		}
 
@@ -445,7 +380,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 
 		if ( caplen < len )
 			{
-			Weird("incompletely_captured_fragment", ip_hdr);
+			Weird("incompletely_captured_fragment", ip_hdr, encapsulation);
 
 			// Don't try to reassemble, that's doomed.
 			// Discard all except the first fragment (which
@@ -472,7 +407,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	len -= ip_hdr_len;	// remove IP header
 	caplen -= ip_hdr_len;
 
-	// We stop building the chain when seeing IPPROTO_ESP so if it's 
+	// We stop building the chain when seeing IPPROTO_ESP so if it's
 	// there, it's always the last.
 	if ( ip_hdr->LastHeader() == IPPROTO_ESP )
 		{
@@ -497,7 +432,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 
 		if ( ! ignore_checksums && mobility_header_checksum(ip_hdr) != 0xffff )
 			{
-			Weird("bad_MH_checksum", hdr, pkt);
+			Weird("bad_MH_checksum", hdr, pkt, encapsulation);
 			Remove(f);
 			return;
 			}
@@ -510,7 +445,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 			}
 
 		if ( ip_hdr->NextProto() != IPPROTO_NONE )
-			Weird("mobility_piggyback", hdr, pkt);
+			Weird("mobility_piggyback", hdr, pkt, encapsulation);
 
 		Remove(f);
 		return;
@@ -519,7 +454,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 
 	int proto = ip_hdr->NextProto();
 
-	if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt) )
+	if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt, encapsulation) )
 		{
 		Remove(f);
 		return;
@@ -585,8 +520,85 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		break;
 		}
 
+	case IPPROTO_IPV4:
+	case IPPROTO_IPV6:
+		{
+		if ( ! BifConst::Tunnel::enable_ip )
+			{
+			Weird("IP_tunnel", ip_hdr, encapsulation);
+			Remove(f);
+			return;
+			}
+
+		if ( encapsulation &&
+		     encapsulation->Depth() >= BifConst::Tunnel::max_depth )
+			{
+			Weird("exceeded_tunnel_max_depth", ip_hdr, encapsulation);
+			Remove(f);
+			return;
+			}
+
+		// Check for a valid inner packet first.
+		IP_Hdr* inner = 0;
+		int result = ParseIPPacket(caplen, data, proto, inner);
+
+		if ( result < 0 )
+			Weird("truncated_inner_IP", ip_hdr, encapsulation);
+
+		else if ( result > 0 )
+			Weird("inner_IP_payload_mismatch", ip_hdr, encapsulation);
+
+		if ( result != 0 )
+			{
+			Remove(f);
+			return;
+			}
+
+		Encapsulation* outer = new Encapsulation(encapsulation);
+
+		// Look up to see if we've already seen this IP tunnel, identified
+		// by the pair of IP addresses, so that we can always associate the
+		// same UID with it.
+		IPPair tunnel_idx;
+		if ( ip_hdr->SrcAddr() < ip_hdr->DstAddr() )
+			tunnel_idx = IPPair(ip_hdr->SrcAddr(), ip_hdr->DstAddr());
+		else
+			tunnel_idx = IPPair(ip_hdr->DstAddr(), ip_hdr->SrcAddr());
+
+		IPTunnelMap::const_iterator it = ip_tunnels.find(tunnel_idx);
+
+		if ( it == ip_tunnels.end() )
+			{
+			EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr());
+			ip_tunnels[tunnel_idx] = ec;
+			outer->Add(ec);
+			}
+		else
+			outer->Add(it->second);
+
+		DoNextInnerPacket(t, hdr, inner, outer);
+
+		delete inner;
+		delete outer;
+		Remove(f);
+		return;
+		}
+
+	case IPPROTO_NONE:
+		{
+		// If the packet is encapsulated in Teredo, then it was a bubble and
+		// the Teredo analyzer may have raised an event for that, else we're
+		// not sure the reason for the No Next header in the packet.
+		if ( ! ( encapsulation &&
+		     encapsulation->LastType() == BifEnum::Tunnel::TEREDO ) )
+			Weird("ipv6_no_next", hdr, pkt);
+
+		Remove(f);
+		return;
+		}
+
 	default:
-		Weird(fmt("unknown_protocol_%d", proto), hdr, pkt);
+		Weird(fmt("unknown_protocol_%d", proto), hdr, pkt, encapsulation);
 		Remove(f);
 		return;
 	}
@@ -602,7 +614,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	conn = (Connection*) d->Lookup(h);
 	if ( ! conn )
 		{
-		conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel());
+		conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), encapsulation);
 		if ( conn )
 			d->Insert(h, conn);
 		}
@@ -623,12 +635,15 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 				conn->Event(connection_reused, 0);
 
 			Remove(conn);
-			conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel());
+			conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), encapsulation);
 			if ( conn )
 				d->Insert(h, conn);
 			}
 		else
+			{
 			delete h;
+			conn->CheckEncapsulation(encapsulation);
+			}
 		}
 
 	if ( ! conn )
@@ -682,8 +697,63 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		}
 	}
 
+void NetSessions::DoNextInnerPacket(double t, const struct pcap_pkthdr* hdr,
+		const IP_Hdr* inner, const Encapsulation* outer)
+	{
+	struct pcap_pkthdr fake_hdr;
+	fake_hdr.caplen = fake_hdr.len = inner->TotalLen();
+
+	if ( hdr )
+		fake_hdr.ts = hdr->ts;
+	else
+		// TODO-Jon: use network_time?
+		fake_hdr.ts.tv_sec = fake_hdr.ts.tv_usec = 0;
+
+	const u_char* pkt = 0;
+
+	if ( inner->IP4_Hdr() )
+		pkt = (const u_char*) inner->IP4_Hdr();
+	else
+		pkt = (const u_char*) inner->IP6_Hdr();
+
+	DoNextPacket(t, &fake_hdr, inner, pkt, 0, outer);
+	}
+
+int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
+		IP_Hdr*& inner)
+	{
+	if ( proto == IPPROTO_IPV6 )
+		{
+		if ( caplen < (int)sizeof(struct ip6_hdr) )
+			return -1;
+
+		inner = new IP_Hdr((const struct ip6_hdr*) pkt, false, caplen);
+		}
+
+	else if ( proto == IPPROTO_IPV4 )
+		{
+		if ( caplen < (int)sizeof(struct ip) )
+			return -1;
+
+		inner = new IP_Hdr((const struct ip*) pkt, false);
+		}
+
+	else
+		reporter->InternalError("Bad IP protocol version in DoNextInnerPacket");
+
+	if ( (uint32)caplen != inner->TotalLen() )
+		{
+		delete inner;
+		inner = 0;
+		return (uint32)caplen < inner->TotalLen() ? -1 : 1;
+		}
+
+	return 0;
+	}
+
 bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
-                                   const struct pcap_pkthdr* h, const u_char* p)
+                                   const struct pcap_pkthdr* h,
+                                   const u_char* p, const Encapsulation* encap)
 	{
 	uint32 min_hdr_len = 0;
 	switch ( proto ) {
@@ -693,22 +763,32 @@ bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
 	case IPPROTO_UDP:
 		min_hdr_len = sizeof(struct udphdr);
 		break;
+	case IPPROTO_IPV4:
+		min_hdr_len = sizeof(struct ip);
+		break;
+	case IPPROTO_IPV6:
+		min_hdr_len = sizeof(struct ip6_hdr);
+		break;
+	case IPPROTO_NONE:
+		min_hdr_len = 0;
+		break;
 	case IPPROTO_ICMP:
 	case IPPROTO_ICMPV6:
 	default:
 		// Use for all other packets.
 		min_hdr_len = ICMP_MINLEN;
+		break;
 	}
 
 	if ( len < min_hdr_len )
 		{
-		Weird("truncated_header", h, p);
+		Weird("truncated_header", h, p, encap);
 		return true;
 		}
 
 	if ( caplen < min_hdr_len )
 		{
-		Weird("internally_truncated_header", h, p);
+		Weird("internally_truncated_header", h, p, encap);
 		return true;
 		}
 
@@ -1004,7 +1084,8 @@ void NetSessions::GetStats(SessionStats& s) const
 	}
 
 Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
-					const u_char* data, int proto, uint32 flow_label)
+					const u_char* data, int proto, uint32 flow_label,
+					const Encapsulation* encapsulation)
 	{
 	// FIXME: This should be cleaned up a bit, it's too protocol-specific.
 	// But I'm not yet sure what the right abstraction for these things is.
@@ -1060,7 +1141,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 		id = &flip_id;
 		}
 
-	Connection* conn = new Connection(this, k, t, id, flow_label);
+	Connection* conn = new Connection(this, k, t, id, flow_label, encapsulation);
 	conn->SetTransport(tproto);
 	dpm->BuildInitialAnalyzerTree(tproto, conn, data);
 
@@ -1224,18 +1305,26 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr,
 	reporter->InternalError("%s", msg);
 	}
 
-void NetSessions::Weird(const char* name,
+void NetSessions::Weird(const char* name, const struct pcap_pkthdr* hdr,
-			const struct pcap_pkthdr* hdr, const u_char* pkt)
+                        const u_char* pkt, const Encapsulation* encap)
 	{
 	if ( hdr )
 		dump_this_packet = 1;
 
-	reporter->Weird(name);
+	if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
+		reporter->Weird(fmt("%s_in_tunnel", name));
+	else
+		reporter->Weird(name);
 	}
 
-void NetSessions::Weird(const char* name, const IP_Hdr* ip)
+void NetSessions::Weird(const char* name, const IP_Hdr* ip,
+                        const Encapsulation* encap)
 	{
-	reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name);
+	if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
+		reporter->Weird(ip->SrcAddr(), ip->DstAddr(),
+		                fmt("%s_in_tunnel", name));
+	else
+		reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name);
 	}
 
 unsigned int NetSessions::ConnectionMemoryUsage()

src/Sessions.h

@@ -11,9 +11,12 @@
 #include "PacketFilter.h"
 #include "Stats.h"
 #include "NetVar.h"
+#include "TunnelEncapsulation.h"
+#include <utility>
 
 struct pcap_pkthdr;
 
+class Encapsulation;
 class Connection;
 class ConnID;
 class OSFingerprint;
@@ -105,9 +108,10 @@ public:
 
 	void GetStats(SessionStats& s) const;
 
-	void Weird(const char* name,
+	void Weird(const char* name, const struct pcap_pkthdr* hdr,
-		const struct pcap_pkthdr* hdr, const u_char* pkt);
+	    const u_char* pkt, const Encapsulation* encap = 0);
-	void Weird(const char* name, const IP_Hdr* ip);
+	void Weird(const char* name, const IP_Hdr* ip,
+	    const Encapsulation* encap = 0);
 
 	PacketFilter* GetPacketFilter()
 		{
@@ -130,6 +134,43 @@ public:
 		return tcp_conns.Length() + udp_conns.Length() +
 			icmp_conns.Length();
 		}
+		
+	void DoNextPacket(double t, const struct pcap_pkthdr* hdr,
+			const IP_Hdr* ip_hdr, const u_char* const pkt,
+			int hdr_size, const Encapsulation* encapsulation);
+
+	/**
+	 * Wrapper that recurses on DoNextPacket for encapsulated IP packets.
+	 *
+	 * @param t Network time.
+	 * @param hdr If the outer pcap header is available, this pointer can be set
+	 *        so that the fake pcap header passed to DoNextPacket will use
+	 *        the same timeval.  The caplen and len fields of the fake pcap
+	 *        header are always set to the TotalLength() of \a inner.
+	 * @param outer The encapsulation information for the inner IP packet.
+	 */
+	void DoNextInnerPacket(double t, const struct pcap_pkthdr* hdr,
+	                      const IP_Hdr* inner, const Encapsulation* outer);
+
+	/**
+	 * Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4
+	 * or IPv6 header based on whether it's long enough to contain such a header
+	 * and also that the payload length field of that header matches the actual
+	 * length of \a pkt given by \a caplen.
+	 *
+	 * @param caplen The length of \a pkt in bytes.
+	 * @param pkt The inner IP packet data.
+	 * @param proto Either IPPROTO_IPV6 or IPPROTO_IPV4 to indicate which IP
+	 *        protocol \a pkt corresponds to.
+	 * @param inner The inner IP packet wrapper pointer to be allocated/assigned
+	 *        if \a pkt looks like a valid IP packet.
+	 * @return 0 If the inner IP packet appeared valid in which case the caller
+	 *         is responsible for deallocating \a inner, else -1 if \a caplen
+	 *         is greater than the supposed IP packet's payload length field or
+	 *         1 if \a caplen is less than the supposed packet's payload length.
+	 */
+	int ParseIPPacket(int caplen, const u_char* const pkt, int proto,
+	                  IP_Hdr*& inner);
 
 	unsigned int ConnectionMemoryUsage();
 	unsigned int ConnectionMemoryUsageConnVals();
@@ -142,7 +183,8 @@ protected:
 	friend class TimerMgrExpireTimer;
 
 	Connection* NewConn(HashKey* k, double t, const ConnID* id,
-			const u_char* data, int proto, uint32 flow_label);
+			const u_char* data, int proto, uint32 flow_lable,
+			const Encapsulation* encapsulation);
 
 	// Check whether the tag of the current packet is consistent with
 	// the given connection.  Returns:
@@ -173,10 +215,6 @@ protected:
 			const u_char* const pkt, int hdr_size,
 			PacketSortElement* pkt_elem);
 
-	void DoNextPacket(double t, const struct pcap_pkthdr* hdr,
-			const IP_Hdr* ip_hdr, const u_char* const pkt,
-			int hdr_size);
-
 	void NextPacketSecondary(double t, const struct pcap_pkthdr* hdr,
 			const u_char* const pkt, int hdr_size,
 			const PktSrc* src_ps);
@@ -194,13 +232,17 @@ protected:
 	// from lower-level headers or the length actually captured is less
 	// than that protocol's minimum header size.
 	bool CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
-	                      const struct pcap_pkthdr* hdr, const u_char* pkt);
+			      const struct pcap_pkthdr* hdr, const u_char* pkt,
+			      const Encapsulation* encap);
 
 	CompositeHash* ch;
 	PDict(Connection) tcp_conns;
 	PDict(Connection) udp_conns;
 	PDict(Connection) icmp_conns;
 	PDict(FragReassembler) fragments;
+	typedef pair<IPAddr, IPAddr> IPPair;
+	typedef std::map<IPPair, EncapsulatingConn> IPTunnelMap;
+	IPTunnelMap ip_tunnels;
 
 	ARP_Analyzer* arp_analyzer;
 

src/Teredo.cc

@@ -0,0 +1,233 @@
+
+#include "Teredo.h"
+#include "IP.h"
+#include "Reporter.h"
+
+void Teredo_Analyzer::Done()
+	{
+	Analyzer::Done();
+	Event(udp_session_done);
+	}
+
+bool TeredoEncapsulation::DoParse(const u_char* data, int& len,
+                                  bool found_origin, bool found_auth)
+	{
+	if ( len < 2 )
+		{
+		Weird("truncated_Teredo");
+		return false;
+		}
+
+	uint16 tag = ntohs((*((const uint16*)data)));
+
+	if ( tag == 0 )
+		{
+		// Origin Indication
+		if ( found_origin )
+			// can't have multiple origin indications
+			return false;
+
+		if ( len < 8 )
+			{
+			Weird("truncated_Teredo_origin_indication");
+			return false;
+			}
+
+		origin_indication = data;
+		len -= 8;
+		data += 8;
+		return DoParse(data, len, true, found_auth);
+		}
+
+	else if ( tag == 1 )
+		{
+		// Authentication
+		if ( found_origin || found_auth )
+			// can't have multiple authentication headers and can't come after
+			// an origin indication
+			return false;
+
+		if ( len < 4 )
+			{
+			Weird("truncated_Teredo_authentication");
+			return false;
+			}
+
+		uint8 id_len = data[2];
+		uint8 au_len = data[3];
+		uint16 tot_len = 4 + id_len + au_len + 8 + 1;
+
+		if ( len < tot_len )
+			{
+			Weird("truncated_Teredo_authentication");
+			return false;
+			}
+
+		auth = data;
+		len -= tot_len;
+		data += tot_len;
+		return DoParse(data, len, found_origin, true);
+		}
+
+	else if ( ((tag & 0xf000)>>12) == 6 )
+		{
+		// IPv6
+		if ( len < 40 )
+			{
+			Weird("truncated_IPv6_in_Teredo");
+			return false;
+			}
+
+		if ( len - 40 != ntohs(((const struct ip6_hdr*)data)->ip6_plen) )
+			{
+			Weird("Teredo_payload_len_mismatch");
+			return false;
+			}
+
+		inner_ip = data;
+		return true;
+		}
+
+	return false;
+	}
+
+RecordVal* TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
+	{
+	static RecordType* teredo_hdr_type = 0;
+	static RecordType* teredo_auth_type = 0;
+	static RecordType* teredo_origin_type = 0;
+
+	if ( ! teredo_hdr_type )
+		{
+		teredo_hdr_type = internal_type("teredo_hdr")->AsRecordType();
+		teredo_auth_type = internal_type("teredo_auth")->AsRecordType();
+		teredo_origin_type = internal_type("teredo_origin")->AsRecordType();
+		}
+
+	RecordVal* teredo_hdr = new RecordVal(teredo_hdr_type);
+
+	if ( auth )
+		{
+		RecordVal* teredo_auth = new RecordVal(teredo_auth_type);
+		uint8 id_len = *((uint8*)(auth + 2));
+		uint8 au_len = *((uint8*)(auth + 3));
+		uint64 nonce = ntohll(*((uint64*)(auth + 4 + id_len + au_len)));
+		uint8 conf = *((uint8*)(auth + 4 + id_len + au_len + 8));
+		teredo_auth->Assign(0, new StringVal(
+		    new BroString(auth + 4, id_len, 1)));
+		teredo_auth->Assign(1, new StringVal(
+		    new BroString(auth + 4 + id_len, au_len, 1)));
+		teredo_auth->Assign(2, new Val(nonce, TYPE_COUNT));
+		teredo_auth->Assign(3, new Val(conf, TYPE_COUNT));
+		teredo_hdr->Assign(0, teredo_auth);
+		}
+
+	if ( origin_indication )
+		{
+		RecordVal* teredo_origin = new RecordVal(teredo_origin_type);
+		uint16 port = ntohs(*((uint16*)(origin_indication + 2))) ^ 0xFFFF;
+		uint32 addr = ntohl(*((uint32*)(origin_indication + 4))) ^ 0xFFFFFFFF;
+		teredo_origin->Assign(0, new PortVal(port, TRANSPORT_UDP));
+		teredo_origin->Assign(1, new AddrVal(htonl(addr)));
+		teredo_hdr->Assign(1, teredo_origin);
+		}
+
+	teredo_hdr->Assign(2, inner->BuildPktHdrVal());
+	return teredo_hdr;
+	}
+
+void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
+                                    int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	TeredoEncapsulation te(this);
+
+	if ( ! te.Parse(data, len) )
+		{
+		ProtocolViolation("Bad Teredo encapsulation", (const char*) data, len);
+		return;
+		}
+
+	const Encapsulation* e = Conn()->GetEncapsulation();
+
+	if ( e && e->Depth() >= BifConst::Tunnel::max_depth )
+		{
+		Weird("tunnel_depth");
+		return;
+		}
+
+	IP_Hdr* inner = 0;
+	int rslt = sessions->ParseIPPacket(len, te.InnerIP(), IPPROTO_IPV6, inner);
+
+	if ( rslt == 0 )
+		{
+		if ( BifConst::Tunnel::yielding_teredo_decapsulation &&
+		     ! ProtocolConfirmed() )
+			{
+			// Only confirm the Teredo tunnel and start decapsulating packets
+			// when no other sibling analyzer thinks it's already parsing the
+			// right protocol.
+			bool sibling_has_confirmed = false;
+			if ( Parent() )
+				{
+				LOOP_OVER_GIVEN_CONST_CHILDREN(i, Parent()->GetChildren())
+					{
+					if ( (*i)->ProtocolConfirmed() )
+						sibling_has_confirmed = true;
+					}
+				}
+
+			if ( ! sibling_has_confirmed )
+				ProtocolConfirmation();
+			}
+		else
+			{
+			// Aggressively decapsulate anything with valid Teredo encapsulation
+			ProtocolConfirmation();
+			}
+		}
+
+	else if ( rslt < 0 )
+		ProtocolViolation("Truncated Teredo", (const char*) data, len);
+
+	else
+		ProtocolViolation("Teredo payload length", (const char*) data, len);
+
+	if ( rslt != 0 || ! ProtocolConfirmed() ) return;
+
+	Val* teredo_hdr = 0;
+
+	if ( teredo_packet )
+		{
+		teredo_hdr = te.BuildVal(inner);
+		Conn()->Event(teredo_packet, 0, teredo_hdr);
+		}
+
+	if ( te.Authentication() && teredo_authentication )
+		{
+		teredo_hdr = teredo_hdr ? teredo_hdr->Ref() : te.BuildVal(inner);
+		Conn()->Event(teredo_authentication, 0, teredo_hdr);
+		}
+
+	if ( te.OriginIndication() && teredo_origin_indication )
+		{
+		teredo_hdr = teredo_hdr ? teredo_hdr->Ref() : te.BuildVal(inner);
+		Conn()->Event(teredo_origin_indication, 0, teredo_hdr);
+		}
+
+	if ( inner->NextProto() == IPPROTO_NONE && teredo_bubble )
+		{
+		teredo_hdr = teredo_hdr ? teredo_hdr->Ref() : te.BuildVal(inner);
+		Conn()->Event(teredo_bubble, 0, teredo_hdr);
+		}
+
+	Encapsulation* outer = new Encapsulation(e);
+	EncapsulatingConn ec(Conn(), BifEnum::Tunnel::TEREDO);
+	outer->Add(ec);
+
+	sessions->DoNextInnerPacket(network_time, 0, inner, outer);
+
+	delete inner;
+	delete outer;
+	}

src/Teredo.h

@@ -0,0 +1,79 @@
+#ifndef Teredo_h
+#define Teredo_h
+
+#include "Analyzer.h"
+#include "NetVar.h"
+
+class Teredo_Analyzer : public Analyzer {
+public:
+	Teredo_Analyzer(Connection* conn) : Analyzer(AnalyzerTag::Teredo, conn)
+		{}
+
+	virtual ~Teredo_Analyzer()
+		{}
+
+	virtual void Done();
+
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new Teredo_Analyzer(conn); }
+
+	static bool Available()
+		{ return BifConst::Tunnel::enable_teredo &&
+		         BifConst::Tunnel::max_depth > 0; }
+
+	/**
+	 * Emits a weird only if the analyzer has previously been able to
+	 * decapsulate a Teredo packet since otherwise the weirds could happen
+	 * frequently enough to be less than helpful.
+	 */
+	void Weird(const char* name) const
+		{
+		if ( ProtocolConfirmed() )
+			reporter->Weird(Conn(), name);
+		}
+
+protected:
+	friend class AnalyzerTimer;
+	void ExpireTimer(double t);
+};
+
+class TeredoEncapsulation {
+public:
+	TeredoEncapsulation(const Teredo_Analyzer* ta)
+		: inner_ip(0), origin_indication(0), auth(0), analyzer(ta)
+		{}
+
+	/**
+	 * Returns whether input data parsed as a valid Teredo encapsulation type.
+	 * If it was valid, the len argument is decremented appropriately.
+	 */
+	bool Parse(const u_char* data, int& len)
+		{ return DoParse(data, len, false, false); }
+
+	const u_char* InnerIP() const
+		{ return inner_ip; }
+
+	const u_char* OriginIndication() const
+		{ return origin_indication; }
+
+	const u_char* Authentication() const
+		{ return auth; }
+
+	RecordVal* BuildVal(const IP_Hdr* inner) const;
+
+protected:
+	bool DoParse(const u_char* data, int& len, bool found_orig, bool found_au);
+
+	void Weird(const char* name) const
+		{ analyzer->Weird(name); }
+
+	const u_char* inner_ip;
+	const u_char* origin_indication;
+	const u_char* auth;
+	const Teredo_Analyzer* analyzer;
+};
+
+#endif

src/TunnelEncapsulation.cc

@@ -0,0 +1,55 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "TunnelEncapsulation.h"
+#include "util.h"
+#include "Conn.h"
+
+EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t)
+		: src_addr(c->OrigAddr()), dst_addr(c->RespAddr()),
+		  src_port(c->OrigPort()), dst_port(c->RespPort()),
+		  proto(c->ConnTransport()), type(t), uid(c->GetUID())
+	{
+	if ( ! uid )
+		{
+		uid = calculate_unique_id();
+		c->SetUID(uid);
+		}
+	}
+
+RecordVal* EncapsulatingConn::GetRecordVal() const
+	{
+	RecordVal *rv = new RecordVal(BifType::Record::Tunnel::EncapsulatingConn);
+
+	RecordVal* id_val = new RecordVal(conn_id);
+	id_val->Assign(0, new AddrVal(src_addr));
+	id_val->Assign(1, new PortVal(ntohs(src_port), proto));
+	id_val->Assign(2, new AddrVal(dst_addr));
+	id_val->Assign(3, new PortVal(ntohs(dst_port), proto));
+	rv->Assign(0, id_val);
+	rv->Assign(1, new EnumVal(type, BifType::Enum::Tunnel::Type));
+
+	char tmp[20];
+	rv->Assign(2, new StringVal(uitoa_n(uid, tmp, sizeof(tmp), 62)));
+
+	return rv;
+	}
+
+bool operator==(const Encapsulation& e1, const Encapsulation& e2)
+	{
+	if ( ! e1.conns )
+		return e2.conns;
+
+	if ( ! e2.conns )
+		return false;
+
+	if ( e1.conns->size() != e2.conns->size() )
+		return false;
+
+	for ( size_t i = 0; i < e1.conns->size(); ++i )
+		{
+		if ( (*e1.conns)[i] != (*e2.conns)[i] )
+			return false;
+		}
+
+	return true;
+	}

src/TunnelEncapsulation.h

@@ -0,0 +1,222 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef TUNNELS_H
+#define TUNNELS_H
+
+#include "config.h"
+#include "NetVar.h"
+#include "IPAddr.h"
+#include "Val.h"
+#include <vector>
+
+class Connection;
+
+/**
+ * Represents various types of tunnel "connections", that is, a pair of
+ * endpoints whose communication encapsulates inner IP packets.  This could
+ * mean IP packets nested inside IP packets or IP packets nested inside a
+ * transport layer protocol.  EncapsulatingConn's are assigned a UID, which can
+ * be shared with Connection's in the case the tunnel uses a transport-layer.
+ */
+class EncapsulatingConn {
+public:
+	/**
+	 * Default tunnel connection constructor.
+	 */
+	EncapsulatingConn()
+		: src_port(0), dst_port(0), proto(TRANSPORT_UNKNOWN),
+		  type(BifEnum::Tunnel::NONE), uid(0)
+		{}
+
+	/**
+	 * Construct an IP tunnel "connection" with its own UID.
+	 * The assignment of "source" and "destination" addresses here can be
+	 * arbitrary, comparison between EncapsulatingConn objects will treat IP
+	 * tunnels as equivalent as long as the same two endpoints are involved.
+	 *
+	 * @param s The tunnel source address, likely taken from an IP header.
+	 * @param d The tunnel destination address, likely taken from an IP header.
+	 */
+	EncapsulatingConn(const IPAddr& s, const IPAddr& d)
+		: src_addr(s), dst_addr(d), src_port(0), dst_port(0),
+		  proto(TRANSPORT_UNKNOWN), type(BifEnum::Tunnel::IP)
+		{
+		uid = calculate_unique_id();
+		}
+
+	/**
+	 * Construct a tunnel connection using information from an already existing
+	 * transport-layer-aware connection object.
+	 *
+	 * @param c The connection from which endpoint information can be extracted.
+	 *        If it already has a UID associated with it, that gets inherited,
+	 *        otherwise a new UID is created for this tunnel and \a c.
+	 * @param t The type of tunneling that is occurring over the connection.
+	 */
+	EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t);
+
+	/**
+	 * Copy constructor.
+	 */
+	EncapsulatingConn(const EncapsulatingConn& other)
+		: src_addr(other.src_addr), dst_addr(other.dst_addr),
+		  src_port(other.src_port), dst_port(other.dst_port),
+		  proto(other.proto), type(other.type), uid(other.uid)
+		{}
+
+	/**
+	 * Destructor.
+	 */
+	~EncapsulatingConn()
+		{}
+
+	BifEnum::Tunnel::Type Type() const
+		{ return type; }
+
+	/**
+	 * Returns record value of type "EncapsulatingConn" representing the tunnel.
+	 */
+	RecordVal* GetRecordVal() const;
+
+	friend bool operator==(const EncapsulatingConn& ec1,
+	                       const EncapsulatingConn& ec2)
+		{
+		if ( ec1.type != ec2.type )
+			return false;
+
+		if ( ec1.type == BifEnum::Tunnel::IP )
+			// Reversing endpoints is still same tunnel.
+			return ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
+			  ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
+			   (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));
+
+		return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr &&
+		       ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port &&
+		       ec1.uid == ec2.uid && ec1.proto == ec2.proto;
+		}
+
+	friend bool operator!=(const EncapsulatingConn& ec1,
+	                       const EncapsulatingConn& ec2)
+		{
+		return ! ( ec1 == ec2 );
+		}
+
+protected:
+	IPAddr src_addr;
+	IPAddr dst_addr;
+	uint16 src_port;
+	uint16 dst_port;
+	TransportProto proto;
+	BifEnum::Tunnel::Type type;
+	uint64 uid;
+};
+
+/**
+ * Abstracts an arbitrary amount of nested tunneling.
+ */
+
+// TODO-Jon: Rename EncapsulationChain or EncapsulationStack? I'd prefer to
+// have notion in there that this covers multiple levels of encapsulations.
+class Encapsulation {
+public:
+	Encapsulation() : conns(0)
+		{}
+
+	Encapsulation(const Encapsulation& other)
+		{
+		if ( other.conns )
+			conns = new vector<EncapsulatingConn>(*(other.conns));
+		else
+			conns = 0;
+		}
+
+	// TODO-Jon: I don't like the ptr-version of the ctor. When reading
+	// the code using that, I can't tell what it does with the pointer
+	// (i.e., that it deep-copied the object). Can we use just the
+	// reference version above? That may mean more "if ( not null )" at
+	// the caller end though.
+	Encapsulation(const Encapsulation* other)
+		{
+		if ( other && other->conns )
+			conns = new vector<EncapsulatingConn>(*(other->conns));
+		else
+			conns = 0;
+		}
+
+	Encapsulation& operator=(const Encapsulation& other)
+		{
+		if ( this == &other )
+			return *this;
+
+		delete conns;
+
+		if ( other.conns )
+			conns = new vector<EncapsulatingConn>(*(other.conns));
+		else
+			conns = 0;
+
+		return *this;
+		}
+
+	~Encapsulation() { delete conns; }
+
+	/**
+	 * Add a new inner-most tunnel to the Encapsulation.
+	 *
+	 * @param c The new inner-most tunnel to append to the tunnel chain.
+	 */
+	void Add(const EncapsulatingConn& c)
+		{
+		if ( ! conns )
+			conns = new vector<EncapsulatingConn>();
+
+		conns->push_back(c);
+		}
+
+	/**
+	 * Return how many nested tunnels are involved in a encapsulation, zero
+	 * meaning no tunnels are present.
+	 */
+	size_t Depth() const
+		{
+		return conns ? conns->size() : 0;
+		}
+
+	/**
+	 * Return the tunnel type of the inner-most tunnel.
+	 */
+	BifEnum::Tunnel::Type LastType() const
+		{
+		return conns ? (*conns)[conns->size()-1].Type() : BifEnum::Tunnel::NONE;
+		}
+
+	/**
+	 * Get the value of type "EncapsulatingConnVector" represented by the
+	 * entire encapsulation chain.
+	 */
+	VectorVal* GetVectorVal() const
+		{
+		VectorVal* vv = new VectorVal(
+		    internal_type("EncapsulatingConnVector")->AsVectorType());
+
+		if ( conns )
+			{
+			for ( size_t i = 0; i < conns->size(); ++i )
+				vv->Assign(i, (*conns)[i].GetRecordVal(), 0);
+			}
+
+		return vv;
+		}
+
+	friend bool operator==(const Encapsulation& e1, const Encapsulation& e2);
+
+	friend bool operator!=(const Encapsulation& e1, const Encapsulation& e2)
+		{
+		return ! ( e1 == e2 );
+		}
+
+protected:
+	vector<EncapsulatingConn>* conns;
+};
+
+#endif

src/ayiya-analyzer.pac

@@ -0,0 +1,90 @@
+
+connection AYIYA_Conn(bro_analyzer: BroAnalyzer)
+	{
+	upflow = AYIYA_Flow;
+	downflow = AYIYA_Flow;
+	};
+
+flow AYIYA_Flow
+	{
+	datagram = PDU withcontext(connection, this);
+
+	function process_ayiya(pdu: PDU): bool
+		%{
+		Connection *c = connection()->bro_analyzer()->Conn();
+		const Encapsulation* e = c->GetEncapsulation();
+
+		if ( e && e->Depth() >= BifConst::Tunnel::max_depth )
+			{
+			reporter->Weird(c, "tunnel_depth");
+			return false;
+			}
+
+		if ( ${pdu.op} != 1 )
+			{
+			// 1 is the "forward" command.
+			return false;
+			}
+
+		if ( ${pdu.next_header} != IPPROTO_IPV6 &&
+		     ${pdu.next_header} != IPPROTO_IPV4 )
+			{
+			reporter->Weird(c, "ayiya_tunnel_non_ip");
+			return false;
+			}
+
+		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
+			{
+			connection()->bro_analyzer()->ProtocolViolation(
+			    "Truncated AYIYA", (const char*) ${pdu.packet}.data(),
+			    ${pdu.packet}.length());
+			return false;
+			}
+
+		const struct ip* ip = (const struct ip*) ${pdu.packet}.data();
+
+		if ( ( ${pdu.next_header} == IPPROTO_IPV6 && ip->ip_v != 6 ) ||
+		     ( ${pdu.next_header} == IPPROTO_IPV4 && ip->ip_v != 4) )
+			{
+			connection()->bro_analyzer()->ProtocolViolation(
+			    "AYIYA next header mismatch", (const char*)${pdu.packet}.data(),
+			     ${pdu.packet}.length());
+			return false;
+			}
+
+		IP_Hdr* inner = 0;
+		int result = sessions->ParseIPPacket(${pdu.packet}.length(),
+		     ${pdu.packet}.data(), ${pdu.next_header}, inner);
+
+		if ( result == 0 )
+			connection()->bro_analyzer()->ProtocolConfirmation();
+
+		else if ( result < 0 )
+			connection()->bro_analyzer()->ProtocolViolation(
+			    "Truncated AYIYA", (const char*) ${pdu.packet}.data(),
+			    ${pdu.packet}.length());
+
+		else
+			connection()->bro_analyzer()->ProtocolViolation(
+			    "AYIYA payload length", (const char*) ${pdu.packet}.data(),
+			    ${pdu.packet}.length());
+
+		if ( result != 0 )
+			return false;
+
+		Encapsulation* outer = new Encapsulation(e);
+		EncapsulatingConn ec(c, BifEnum::Tunnel::AYIYA);
+		outer->Add(ec);
+
+		sessions->DoNextInnerPacket(network_time(), 0, inner, outer);
+
+		delete inner;
+		delete outer;
+		return (result == 0) ? true : false;
+		%}
+
+	};
+
+refine typeattr PDU += &let {
+	proc_ayiya = $context.flow.process_ayiya(this);
+};

src/ayiya-protocol.pac

@@ -0,0 +1,16 @@
+
+type PDU = record {
+	identity_byte:  uint8;
+	signature_byte: uint8;
+	auth_and_op:    uint8;
+	next_header:    uint8;
+	epoch:          uint32;
+	identity:       bytestring &length=identity_len;
+	signature:      bytestring &length=signature_len;
+	packet:         bytestring &restofdata;
+} &let {
+	identity_len  = (1 << (identity_byte >> 4));
+	signature_len = (signature_byte >> 4) * 4;
+	auth = auth_and_op >> 4;
+	op = auth_and_op & 0xF;
+} &byteorder = littleendian;

src/ayiya.pac

@@ -0,0 +1,10 @@
+%include binpac.pac
+%include bro.pac
+
+analyzer AYIYA withcontext {
+	connection:	AYIYA_Conn;
+	flow:		AYIYA_Flow;
+};
+
+%include ayiya-protocol.pac
+%include ayiya-analyzer.pac

src/const.bif

@@ -4,7 +4,6 @@
 
 const ignore_keep_alive_rexmit: bool;
 const skip_http_data: bool;
-const parse_udp_tunnels: bool;
 const use_conn_size_analyzer: bool;
 const report_gaps_for_partial: bool;
 
@@ -12,4 +11,10 @@ const NFS3::return_data: bool;
 const NFS3::return_data_max: count;
 const NFS3::return_data_first_only: bool;
 
+const Tunnel::max_depth: count;
+const Tunnel::enable_ip: bool;
+const Tunnel::enable_ayiya: bool;
+const Tunnel::enable_teredo: bool;
+const Tunnel::yielding_teredo_decapsulation: bool;
+
 const Threading::heartbeat_interval: interval;

src/event.bif

@@ -141,6 +141,18 @@ event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr
 ##    event.
 event new_connection%(c: connection%);
 
+## Generated for a connection whose tunneling has changed.  This could
+## be from a previously seen connection now being encapsulated in a tunnel,
+## or from the outer encapsulation changing.  Note that the connection's
+## *tunnel* field is NOT automatically assigned to the new encapsulation value
+## internally after this event is raised.
+## TODO-Jon: I'm not sure what the last sentence is supposed to tell me?
+##
+## c: The connection whose tunnel/encapsulation changed.
+##
+## e: The new encapsulation.
+event tunnel_changed%(c: connection, e: EncapsulatingConnVector%);
+
 ## Generated when reassembly starts for a TCP connection. The event is raised
 ## at the moment when Bro's TCP analyzer enables stream reassembly for a
 ## connection.
@@ -500,6 +512,61 @@ event esp_packet%(p: pkt_hdr%);
 ## .. bro:see:: new_packet tcp_packet ipv6_ext_headers
 event mobile_ipv6_message%(p: pkt_hdr%);
 
+## Genereated for any IPv6 packet encapsulated in a Teredo tunnel.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particular expensive for real-time analysis.
+event teredo_packet%(outer: connection, inner: teredo_hdr%);
+
+## Genereated for IPv6 packets encapsulated in a Teredo tunnel that
+## use the Teredo authentication encapsulation method.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particular expensive for real-time analysis.
+event teredo_authentication%(outer: connection, inner: teredo_hdr%);
+
+## Genereated for IPv6 packets encapsulated in a Teredo tunnel that
+## use the Teredo origin indication encapsulation method.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. bro:see:: teredo_packet teredo_authentication teredo_bubble
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particular expensive for real-time analysis.
+event teredo_origin_indication%(outer: connection, inner: teredo_hdr%);
+
+## Genereated for Teredo bubble packets.  That is, IPv6 packets encapsulated
+## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particular expensive for real-time analysis.
+event teredo_bubble%(outer: connection, inner: teredo_hdr%);
+
 ## Generated for every packet that has non-empty transport-layer payload. This is a
 ## very low-level and expensive event that should be avoided when at all possible.
 ## It's usually  infeasible to handle when processing even medium volumes of
@@ -769,8 +836,9 @@ event udp_reply%(u: connection%);
 event udp_contents%(u: connection, is_orig: bool, contents: string%);
 
 ## Generated when a UDP session for a supported protocol has finished. Some of
-## Bro's application-layer UDP analyzers flag the end of a session by raising this
+## Bro's application-layer UDP analyzers flag the end of a session by raising
-## event. Currently, the analyzers for DNS, NTP, Netbios, and Syslog support this.
+## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA,
+## and Teredo support this.
 ##
 ## u: The connection record for the corresponding UDP flow.
 ##
@@ -6027,6 +6095,26 @@ event syslog_message%(c: connection, facility: count, severity: count, msg: stri
 ## to the event.
 event signature_match%(state: signature_state, msg: string, data: string%);
 
+## Generated when a SOCKS request is analyzed.
+##
+## c: The parent connection of the proxy.
+##
+## t: The type of the request.
+##
+## dstaddr: Address that the tunneled traffic should be sent to.
+##
+## dstname: DNS name of the host that the tunneled traffic should be sent to.
+##
+## p: The destination port for the proxied traffic.
+##
+## user: Username given for the SOCKS connection.
+event socks_request%(c: connection, request_type: count, dstaddr: addr, dstname: string, p: port, user: string%);
+
+## Generated when a SOCKS reply is analyzed.
+##
+##
+event socks_reply%(c: connection, granted: bool, dst: addr, p: port%);
+
 ## Generated when a protocol analyzer finds an identification of a software
 ## used on a system. This is a protocol-independent event that is fed by
 ## different analyzers. For example, the HTTP analyzer reports user-agent and

src/socks-analyzer.pac

@@ -0,0 +1,57 @@
+
+%header{
+StringVal* array_to_string(vector<uint8> *a);
+%}
+
+%code{
+StringVal* array_to_string(vector<uint8> *a)
+	{
+	int len = a->size();
+	char tmp[len];
+	char *s = tmp;
+	for ( vector<uint8>::iterator i = a->begin(); i != a->end(); *s++ = *i++ );
+
+	while ( len > 0 && tmp[len-1] == '\0' )
+		--len;
+
+	return new StringVal(len, tmp);
+	}
+%}
+
+refine connection SOCKS_Conn += {
+	function socks_request(cmd: uint8, dstaddr: uint32, dstname: uint8[], p: uint16, user: uint8[]): bool
+		%{
+		BifEvent::generate_socks_request(bro_analyzer(),
+		                                 bro_analyzer()->Conn(),
+		                                 cmd,
+		                                 new AddrVal(htonl(dstaddr)),
+		                                 array_to_string(dstname),
+		                                 new PortVal(p | TCP_PORT_MASK),
+		                                 array_to_string(user));
+
+		static_cast<SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
+
+		return true;
+		%}
+
+	function socks_reply(granted: bool, dst: uint32, p: uint16): bool
+		%{
+		BifEvent::generate_socks_reply(bro_analyzer(),
+		                               bro_analyzer()->Conn(),
+		                               granted,
+		                               new AddrVal(htonl(dst)),
+		                               new PortVal(p | TCP_PORT_MASK));
+
+		bro_analyzer()->ProtocolConfirmation();
+		static_cast<SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
+		return true;
+		%}
+};
+
+refine typeattr SOCKS_Request += &let {
+	proc: bool = $context.connection.socks_request(command, addr, empty, port, user);
+};
+
+refine typeattr SOCKS_Reply += &let {
+	proc: bool = $context.connection.socks_reply((status == 0x5a), addr, port);
+};

src/socks-protocol.pac

@@ -0,0 +1,34 @@
+type SOCKS_Message(is_orig: bool) = case is_orig of {
+	true ->  request: SOCKS_Request;
+	false -> reply:   SOCKS_Reply;
+};
+
+type SOCKS_Request = record {
+	version:  uint8;
+	command:  uint8;
+	port:     uint16;
+	addr:     uint32;
+	user:     uint8[] &until($element == 0);
+
+	host:     case v4a of {
+		true  -> name:  uint8[] &until($element == 0); # v4a
+		false -> empty: uint8[] &length=0;
+	} &requires(v4a);
+
+	# FIXME: Can this be non-zero? If so we need to keep it for the
+	# next analyzer.
+	rest: bytestring &restofdata;
+} &byteorder = bigendian &let {
+	v4a: bool = (addr <= 0x000000ff);
+};
+
+type SOCKS_Reply = record {
+	zero:    uint8;
+	status:  uint8;
+	port:     uint16;
+	addr:     uint32;
+
+	# FIXME: Can this be non-zero? If so we need to keep it for the
+	# next analyzer.
+	rest: bytestring &restofdata;
+} &byteorder = bigendian;

src/socks.pac

@@ -0,0 +1,24 @@
+%include binpac.pac
+%include bro.pac
+
+%extern{
+#include "SOCKS.h"
+%}
+
+analyzer SOCKS withcontext {
+    connection: SOCKS_Conn;
+    flow:       SOCKS_Flow;
+};
+
+connection SOCKS_Conn(bro_analyzer: BroAnalyzer) {
+    upflow   = SOCKS_Flow(true);
+    downflow = SOCKS_Flow(false);
+};
+
+%include socks-protocol.pac
+
+flow SOCKS_Flow(is_orig: bool) {
+	datagram = SOCKS_Message(is_orig) withcontext(connection, this);
+};
+
+%include socks-analyzer.pac

src/types.bif

@@ -169,6 +169,17 @@ enum ID %{
 	Unknown,
 %}
 
+module Tunnel;
+enum Type %{
+	NONE,
+	IP,
+	AYIYA,
+	TEREDO,
+	SOCKS,
+%}
+
+type EncapsulatingConn: record;
+
 module Input;
 
 enum Reader %{

testing/btest/Baseline/core.leaks.ayiya/conn.log

@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1257655301.595604	5OKnoww6xl4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	tcp	http	2.101052	2981	4665	S1	-	0	ShADad	10	3605	11	5329	k6kgXLOoSKl
+1257655296.585034	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	0	Dd	21	5717	13	6473	(empty)
+1257655293.629048	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	0	d	0	0	1	176	(empty)
+1257655296.585333	FrJExwHcSal	::	135	ff02::1:ff00:2	136	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	k6kgXLOoSKl
+1257655293.629048	arKYeMETxOg	2001:4978:f:4c::1	128	2001:4978:f:4c::2	129	icmp	-	23.834987	168	56	OTH	-	0	-	3	312	1	104	UWkUyAuUGXf,k6kgXLOoSKl
+1257655296.585188	TEfuqmmG4bh	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff00:2	130	icmp	-	0.919988	32	0	OTH	-	0	-	2	144	0	0	k6kgXLOoSKl
+1257655296.585151	j4u32Pc5bif	fe80::216:cbff:fe9a:4cb9	131	ff02::2:f901:d225	130	icmp	-	0.719947	32	0	OTH	-	0	-	2	144	0	0	k6kgXLOoSKl
+1257655296.585034	nQcgTWjvg4c	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff9a:4cb9	130	icmp	-	4.922880	32	0	OTH	-	0	-	2	144	0	0	k6kgXLOoSKl

testing/btest/Baseline/core.leaks.ayiya/http.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1257655301.652206	5OKnoww6xl4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	1	GET	ipv6.google.com	/	-	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	10102	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1257655302.514424	5OKnoww6xl4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	2	GET	ipv6.google.com	/csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645	http://ipv6.google.com/	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	-	(empty)	-	-	-	-	-	-
+1257655303.603569	5OKnoww6xl4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	3	GET	ipv6.google.com	/gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600	http://ipv6.google.com/	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	-	(empty)	-	-	-	-	-	-

testing/btest/Baseline/core.leaks.ayiya/tunnel.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
+#types	time	string	addr	port	addr	port	enum	enum
+1257655293.629048	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA
+1257655296.585034	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA
+1257655317.464035	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA
+1257655317.464035	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA

testing/btest/Baseline/core.leaks.ip-in-ip/output

@@ -0,0 +1,13 @@
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=arKYeMETxOg]]
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+tunnel_changed:
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+    new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=k6kgXLOoSKl]]

testing/btest/Baseline/core.leaks.teredo/conn.log

@@ -0,0 +1,28 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1210953047.736921	arKYeMETxOg	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	0	fA	1	40	1	40	(empty)
+1210953050.867067	k6kgXLOoSKl	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	-	0	fA	1	40	1	40	(empty)
+1210953057.833364	5OKnoww6xl4	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.079208	0	0	SH	-	0	Fa	1	40	1	40	(empty)
+1210953058.007081	VW0XPVINV8a	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTOS0	-	0	R	1	40	0	0	(empty)
+1210953057.834454	3PKsZ2Uye21	192.168.2.16	1578	75.126.203.78	80	tcp	http	0.407908	790	171	RSTO	-	0	ShADadR	6	1038	4	335	(empty)
+1210953058.350065	fRFu0wcOle6	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.223055	66	438	SF	-	0	Dd	2	122	2	494	(empty)
+1210953058.577231	qSsw6ESzHV4	192.168.2.16	137	192.168.2.255	137	udp	dns	1.499261	150	0	S0	-	0	D	3	234	0	0	(empty)
+1210953074.264819	Tw8jXtpTGu6	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.297723	123	598	SF	-	0	Dd	3	207	3	682	(empty)
+1210953061.312379	70MGiRM1Qf4	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	12.810848	1675	10467	S1	-	0	ShADad	10	2279	12	11191	GSxOnSLghOa
+1210953076.058333	EAr0uf4mhq	192.168.2.16	1578	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	0	r	0	0	1	40	(empty)
+1210953074.055744	h5DsfNtYzi1	192.168.2.16	1577	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	0	r	0	0	1	40	(empty)
+1210953074.057124	P654jzLoe3a	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTRH	-	0	r	0	0	1	40	(empty)
+1210953074.570439	c4Zw9TmAE05	192.168.2.16	1580	67.228.110.120	80	tcp	http	0.466677	469	3916	SF	-	0	ShADadFf	7	757	6	4164	(empty)
+1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	8.928880	129	48	SF	-	0	Dd	2	185	1	76	(empty)
+1210953060.829233	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	13.293994	2359	11243	SF	-	0	Dd	12	2695	13	11607	(empty)
+1210953058.933954	iE6yhOq3SF	0.0.0.0	68	255.255.255.255	67	udp	-	-	-	-	S0	-	0	D	1	328	0	0	(empty)
+1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	udp	teredo	-	-	-	SHR	-	0	d	0	0	1	137	(empty)
+1210953046.591933	UWkUyAuUGXf	192.168.2.16	138	192.168.2.255	138	udp	-	28.448321	416	0	S0	-	0	D	2	472	0	0	(empty)
+1210953052.324629	FrJExwHcSal	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	0	-	1	88	0	0	TEfuqmmG4bh
+1210953060.829303	qCaWGmzFtM5	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.463615	4	4	OTH	-	0	-	1	52	1	52	GSxOnSLghOa,nQcgTWjvg4c
+1210953052.202579	j4u32Pc5bif	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	nQcgTWjvg4c

testing/btest/Baseline/core.leaks.teredo/http.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1210953057.917183	3PKsZ2Uye21	192.168.2.16	1578	75.126.203.78	80	1	POST	download913.avast.com	/cgi-bin/iavs4stats.cgi	-	Syncer/4.80 (av_pro-1169;f)	589	0	204	<empty>	-	-	-	(empty)	-	-	-	text/plain	-	-
+1210953061.585996	70MGiRM1Qf4	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1210953073.381474	70MGiRM1Qf4	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1210953074.674817	c4Zw9TmAE05	192.168.2.16	1580	67.228.110.120	80	1	GET	www.wireshark.org	/	http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	11845	200	OK	-	-	-	(empty)	-	-	-	text/xml	-	-

testing/btest/Baseline/core.leaks.teredo/output

@@ -0,0 +1,83 @@
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+    origin: [p=3797/udp, a=70.55.215.234]
+auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+    origin: [p=3797/udp, a=70.55.215.234]
+origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+    origin: [p=3797/udp, a=70.55.215.234]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=12, nxt=58, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+    origin: [p=32900/udp, a=83.170.1.38]
+origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+    origin: [p=32900/udp, a=83.170.1.38]
+bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+    origin: [p=32900/udp, a=83.170.1.38]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]]
+bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=12, nxt=58, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=24, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=24, nxt=6, hlim=245, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=817, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=514, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=898, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=812, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=717, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]

testing/btest/Baseline/core.leaks.teredo/tunnel.log

@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
+#types	time	string	addr	port	addr	port	enum	enum
+1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::DISCOVER	Tunnel::TEREDO
+1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::DISCOVER	Tunnel::TEREDO
+1210953061.292918	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::DISCOVER	Tunnel::TEREDO
+1210953076.058333	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::CLOSE	Tunnel::TEREDO
+1210953076.058333	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::CLOSE	Tunnel::TEREDO
+1210953076.058333	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::CLOSE	Tunnel::TEREDO

testing/btest/Baseline/core.print-bpf-filters/conn.log

@@ -3,6 +3,6 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
-1128727435.450898	UWkUyAuUGXf	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	0	ShADdFaf	12	730	10	9945
+1128727435.450898	UWkUyAuUGXf	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	0	ShADdFaf	12	730	10	9945	(empty)

testing/btest/Baseline/core.print-bpf-filters/output

@@ -5,7 +5,7 @@
 #path	packet_filter
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1328294052.330721	-	ip or not ip	T	T
+1335456050.312960	-	ip or not ip	T	T
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -13,7 +13,7 @@
 #path	packet_filter
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1328294052.542418	-	((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)	T	T
+1335456050.557822	-	((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)	T	T
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -21,7 +21,7 @@
 #path	packet_filter
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1328294052.748480	-	port 42	T	T
+1335456050.805695	-	port 42	T	T
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -29,4 +29,4 @@
 #path	packet_filter
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1328294052.952845	-	port 56730	T	T
+1335456051.042953	-	port 56730	T	T

testing/btest/Baseline/core.tunnels.ayiya/conn.log

@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1257655301.595604	5OKnoww6xl4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	tcp	http	2.101052	2981	4665	S1	-	0	ShADad	10	3605	11	5329	k6kgXLOoSKl
+1257655296.585034	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	0	Dd	21	5717	13	6473	(empty)
+1257655293.629048	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	0	d	0	0	1	176	(empty)
+1257655296.585333	FrJExwHcSal	::	135	ff02::1:ff00:2	136	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	k6kgXLOoSKl
+1257655293.629048	arKYeMETxOg	2001:4978:f:4c::1	128	2001:4978:f:4c::2	129	icmp	-	23.834987	168	56	OTH	-	0	-	3	312	1	104	UWkUyAuUGXf,k6kgXLOoSKl
+1257655296.585188	TEfuqmmG4bh	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff00:2	130	icmp	-	0.919988	32	0	OTH	-	0	-	2	144	0	0	k6kgXLOoSKl
+1257655296.585151	j4u32Pc5bif	fe80::216:cbff:fe9a:4cb9	131	ff02::2:f901:d225	130	icmp	-	0.719947	32	0	OTH	-	0	-	2	144	0	0	k6kgXLOoSKl
+1257655296.585034	nQcgTWjvg4c	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff9a:4cb9	130	icmp	-	4.922880	32	0	OTH	-	0	-	2	144	0	0	k6kgXLOoSKl

testing/btest/Baseline/core.tunnels.ayiya/http.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1257655301.652206	5OKnoww6xl4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	1	GET	ipv6.google.com	/	-	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	10102	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1257655302.514424	5OKnoww6xl4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	2	GET	ipv6.google.com	/csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645	http://ipv6.google.com/	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	-	(empty)	-	-	-	-	-	-
+1257655303.603569	5OKnoww6xl4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	3	GET	ipv6.google.com	/gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600	http://ipv6.google.com/	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	-	(empty)	-	-	-	-	-	-

testing/btest/Baseline/core.tunnels.ayiya/tunnel.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
+#types	time	string	addr	port	addr	port	enum	enum
+1257655293.629048	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA
+1257655296.585034	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA
+1257655317.464035	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA
+1257655317.464035	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA

testing/btest/Baseline/core.tunnels.false-teredo/weird.log

@@ -0,0 +1,19 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1258567191.405770	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
+1258567191.486869	UWkUyAuUGXf	192.168.1.105	57696	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
+1258578181.260420	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
+1258578181.516140	nQcgTWjvg4c	192.168.1.104	64838	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
+1258579063.557927	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
+1258579063.784919	j4u32Pc5bif	192.168.1.104	55778	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
+1258581768.568451	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
+1258581768.898165	TEfuqmmG4bh	192.168.1.104	50798	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
+1258584478.859853	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
+1258584478.989528	FrJExwHcSal	192.168.1.104	64963	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro
+1258600683.934458	-	-	-	-	-	truncated_header_in_tunnel	-	F	bro
+1258600683.934672	5OKnoww6xl4	192.168.1.103	59838	192.168.1.1	53	Teredo_payload_len_mismatch	-	F	bro

testing/btest/Baseline/core.tunnels.ip-in-ip/output

@@ -0,0 +1,22 @@
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=arKYeMETxOg]]
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+new_connection: tunnel
+    conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp]
+    encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+new_connection: tunnel
+    conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp]
+    encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+tunnel_changed:
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+    new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=k6kgXLOoSKl]]

testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output

@@ -0,0 +1,33 @@
+new_connection: tunnel
+    conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+NEW_PACKET:
+    [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+NEW_PACKET:
+    [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+NEW_PACKET:
+    [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+NEW_PACKET:
+    [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+NEW_PACKET:
+    [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+NEW_PACKET:
+    [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+NEW_PACKET:
+    [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+NEW_PACKET:
+    [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+NEW_PACKET:
+    [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]
+NEW_PACKET:
+    [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp]
+    [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]]

testing/btest/Baseline/core.tunnels.teredo/conn.log

@@ -0,0 +1,28 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1210953047.736921	arKYeMETxOg	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	0	fA	1	40	1	40	(empty)
+1210953050.867067	k6kgXLOoSKl	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	-	0	fA	1	40	1	40	(empty)
+1210953057.833364	5OKnoww6xl4	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.079208	0	0	SH	-	0	Fa	1	40	1	40	(empty)
+1210953058.007081	VW0XPVINV8a	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTOS0	-	0	R	1	40	0	0	(empty)
+1210953057.834454	3PKsZ2Uye21	192.168.2.16	1578	75.126.203.78	80	tcp	http	0.407908	790	171	RSTO	-	0	ShADadR	6	1038	4	335	(empty)
+1210953058.350065	fRFu0wcOle6	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.223055	66	438	SF	-	0	Dd	2	122	2	494	(empty)
+1210953058.577231	qSsw6ESzHV4	192.168.2.16	137	192.168.2.255	137	udp	dns	1.499261	150	0	S0	-	0	D	3	234	0	0	(empty)
+1210953074.264819	Tw8jXtpTGu6	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.297723	123	598	SF	-	0	Dd	3	207	3	682	(empty)
+1210953061.312379	70MGiRM1Qf4	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	12.810848	1675	10467	S1	-	0	ShADad	10	2279	12	11191	GSxOnSLghOa
+1210953076.058333	EAr0uf4mhq	192.168.2.16	1578	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	0	r	0	0	1	40	(empty)
+1210953074.055744	h5DsfNtYzi1	192.168.2.16	1577	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	0	r	0	0	1	40	(empty)
+1210953074.057124	P654jzLoe3a	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTRH	-	0	r	0	0	1	40	(empty)
+1210953074.570439	c4Zw9TmAE05	192.168.2.16	1580	67.228.110.120	80	tcp	http	0.466677	469	3916	SF	-	0	ShADadFf	7	757	6	4164	(empty)
+1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	8.928880	129	48	SF	-	0	Dd	2	185	1	76	(empty)
+1210953060.829233	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	13.293994	2359	11243	SF	-	0	Dd	12	2695	13	11607	(empty)
+1210953058.933954	iE6yhOq3SF	0.0.0.0	68	255.255.255.255	67	udp	-	-	-	-	S0	-	0	D	1	328	0	0	(empty)
+1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	udp	teredo	-	-	-	SHR	-	0	d	0	0	1	137	(empty)
+1210953046.591933	UWkUyAuUGXf	192.168.2.16	138	192.168.2.255	138	udp	-	28.448321	416	0	S0	-	0	D	2	472	0	0	(empty)
+1210953052.324629	FrJExwHcSal	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	0	-	1	88	0	0	TEfuqmmG4bh
+1210953060.829303	qCaWGmzFtM5	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.463615	4	4	OTH	-	0	-	1	52	1	52	GSxOnSLghOa,nQcgTWjvg4c
+1210953052.202579	j4u32Pc5bif	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	nQcgTWjvg4c

testing/btest/Baseline/core.tunnels.teredo/http.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1210953057.917183	3PKsZ2Uye21	192.168.2.16	1578	75.126.203.78	80	1	POST	download913.avast.com	/cgi-bin/iavs4stats.cgi	-	Syncer/4.80 (av_pro-1169;f)	589	0	204	<empty>	-	-	-	(empty)	-	-	-	text/plain	-	-
+1210953061.585996	70MGiRM1Qf4	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1210953073.381474	70MGiRM1Qf4	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1210953074.674817	c4Zw9TmAE05	192.168.2.16	1580	67.228.110.120	80	1	GET	www.wireshark.org	/	http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	11845	200	OK	-	-	-	(empty)	-	-	-	text/xml	-	-

testing/btest/Baseline/core.tunnels.teredo/output

@@ -0,0 +1,83 @@
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+    origin: [p=3797/udp, a=70.55.215.234]
+auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+    origin: [p=3797/udp, a=70.55.215.234]
+origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
+    auth: [id=, value=, nonce=14796129349558001544, confirm=0]
+    origin: [p=3797/udp, a=70.55.215.234]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=12, nxt=58, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+    origin: [p=32900/udp, a=83.170.1.38]
+origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+    origin: [p=32900/udp, a=83.170.1.38]
+bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+    origin: [p=32900/udp, a=83.170.1.38]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]]
+bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=12, nxt=58, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=24, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=24, nxt=6, hlim=245, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=817, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=514, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=898, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=812, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=717, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
+packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
+    ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]

testing/btest/Baseline/core.tunnels.teredo/tunnel.log

@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
+#types	time	string	addr	port	addr	port	enum	enum
+1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::DISCOVER	Tunnel::TEREDO
+1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::DISCOVER	Tunnel::TEREDO
+1210953061.292918	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::DISCOVER	Tunnel::TEREDO
+1210953076.058333	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::CLOSE	Tunnel::TEREDO
+1210953076.058333	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::CLOSE	Tunnel::TEREDO
+1210953076.058333	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::CLOSE	Tunnel::TEREDO

testing/btest/Baseline/core.vlan-mpls/conn.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
-952109346.874907	UWkUyAuUGXf	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	0	SADF	11	470	0	0
+952109346.874907	UWkUyAuUGXf	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	0	SADF	11	470	0	0	(empty)
-1128727435.450898	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	0	ShADdFaf	12	730	10	9945
+1128727435.450898	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	0	ShADdFaf	12	730	10	9945	(empty)
-1278600802.069419	k6kgXLOoSKl	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	0	ShADadfF	7	381	7	3801
+1278600802.069419	k6kgXLOoSKl	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	0	ShADadfF	7	381	7	3801	(empty)

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -68,6 +68,8 @@ scripts/base/init-default.bro
     scripts/base/frameworks/intel/./main.bro
   scripts/base/frameworks/reporter/__load__.bro
     scripts/base/frameworks/reporter/./main.bro
+  scripts/base/frameworks/tunnels/__load__.bro
+    scripts/base/frameworks/tunnels/./main.bro
   scripts/base/protocols/conn/__load__.bro
     scripts/base/protocols/conn/./main.bro
     scripts/base/protocols/conn/./contents.bro
@@ -92,6 +94,8 @@ scripts/base/init-default.bro
     scripts/base/protocols/smtp/./main.bro
     scripts/base/protocols/smtp/./entities.bro
     scripts/base/protocols/smtp/./entities-excerpt.bro
+  scripts/base/protocols/socks/__load__.bro
+    scripts/base/protocols/socks/./main.bro
   scripts/base/protocols/ssh/__load__.bro
     scripts/base/protocols/ssh/./main.bro
   scripts/base/protocols/ssl/__load__.bro

testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log

@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
-1329843175.736107	arKYeMETxOg	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	0	ShAdfFa	4	216	4	562
+1329843175.736107	arKYeMETxOg	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	0	ShAdfFa	4	216	4	562	(empty)
-1329843179.871641	k6kgXLOoSKl	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	0	ShAdfFa	4	216	4	297
+1329843179.871641	k6kgXLOoSKl	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	0	ShAdfFa	4	216	4	297	(empty)
-1329843194.151526	nQcgTWjvg4c	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	0	ShADaFf	5	614	3	164
+1329843194.151526	nQcgTWjvg4c	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	0	ShADaFf	5	614	3	164	(empty)
-1329843197.783443	j4u32Pc5bif	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	0	ShADaFf	5	349	3	164
+1329843197.783443	j4u32Pc5bif	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	0	ShADaFf	5	349	3	164	(empty)
-1329843161.968492	UWkUyAuUGXf	141.142.220.235	50003	199.233.217.249	21	tcp	ftp	38.055625	180	3146	SF	-	0	ShAdDfFa	38	2164	25	4458
+1329843161.968492	UWkUyAuUGXf	141.142.220.235	50003	199.233.217.249	21	tcp	ftp	38.055625	180	3146	SF	-	0	ShAdDfFa	38	2164	25	4458	(empty)

testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log

@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
-1329327783.316897	arKYeMETxOg	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49186	2001:470:4867:99::21	57086	tcp	ftp-data	0.219721	0	342	SF	-	0	ShAdfFa	5	372	4	642
+1329327783.316897	arKYeMETxOg	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49186	2001:470:4867:99::21	57086	tcp	ftp-data	0.219721	0	342	SF	-	0	ShAdfFa	5	372	4	642	(empty)
-1329327786.524332	k6kgXLOoSKl	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49187	2001:470:4867:99::21	57087	tcp	ftp-data	0.217501	0	43	SF	-	0	ShAdfFa	5	372	4	343
+1329327786.524332	k6kgXLOoSKl	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49187	2001:470:4867:99::21	57087	tcp	ftp-data	0.217501	0	43	SF	-	0	ShAdfFa	5	372	4	343	(empty)
-1329327787.289095	nQcgTWjvg4c	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49188	2001:470:4867:99::21	57088	tcp	ftp-data	0.217941	0	77	SF	-	0	ShAdfFa	5	372	4	377
+1329327787.289095	nQcgTWjvg4c	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49188	2001:470:4867:99::21	57088	tcp	ftp-data	0.217941	0	77	SF	-	0	ShAdfFa	5	372	4	377	(empty)
-1329327795.571921	j4u32Pc5bif	2001:470:4867:99::21	55785	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49189	tcp	ftp-data	0.109813	77	0	SF	-	0	ShADFaf	5	449	4	300
+1329327795.571921	j4u32Pc5bif	2001:470:4867:99::21	55785	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49189	tcp	ftp-data	0.109813	77	0	SF	-	0	ShADFaf	5	449	4	300	(empty)
-1329327777.822004	UWkUyAuUGXf	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49185	2001:470:4867:99::21	21	tcp	ftp	26.658219	310	3448	SF	-	0	ShAdDfFa	57	4426	34	5908
+1329327777.822004	UWkUyAuUGXf	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49185	2001:470:4867:99::21	21	tcp	ftp	26.658219	310	3448	SF	-	0	ShAdDfFa	57	4426	34	5908	(empty)
-1329327800.017649	TEfuqmmG4bh	2001:470:4867:99::21	55647	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49190	tcp	ftp-data	0.109181	342	0	SF	-	0	ShADFaf	5	714	4	300
+1329327800.017649	TEfuqmmG4bh	2001:470:4867:99::21	55647	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49190	tcp	ftp-data	0.109181	342	0	SF	-	0	ShADFaf	5	714	4	300	(empty)

testing/btest/core/leaks/ayiya.test

@@ -0,0 +1,10 @@
+# Needs perftools support.
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/ayiya3.trace
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log

testing/btest/core/leaks/ip-in-ip.test

@@ -0,0 +1,33 @@
+# Needs perftools support.
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b -r $TRACES/tunnels/6in6.pcap %INPUT >>output
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b -r $TRACES/tunnels/6in6in6.pcap %INPUT >>output
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b -r $TRACES/tunnels/6in6-tunnel-change.pcap %INPUT >>output
+# @TEST-EXEC: btest-diff output
+
+event new_connection(c: connection)
+	{
+	if ( c?$tunnel )
+		{
+		print "new_connection: tunnel";
+		print fmt("    conn_id: %s", c$id);
+		print fmt("    encap: %s", c$tunnel);
+		}
+	else
+		{
+		print "new_connection: no tunnel";
+		}
+	}
+
+event tunnel_changed(c: connection, e: EncapsulatingConnVector)
+	{
+	print "tunnel_changed:";
+	print fmt("    conn_id: %s", c$id);
+	if ( c?$tunnel )
+		print fmt("    old: %s", c$tunnel);
+	print fmt("    new: %s", e);
+	}

testing/btest/core/leaks/teredo.bro

@@ -0,0 +1,41 @@
+# Needs perftools support.
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/Teredo.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+
+function print_teredo(name: string, outer: connection, inner: teredo_hdr)
+	{
+	print fmt("%s: %s", name, outer$id);
+	print fmt("    ip6: %s", inner$hdr$ip6);
+	if ( inner?$auth )
+		print fmt("    auth: %s", inner$auth);
+	if ( inner?$origin )
+		print fmt("    origin: %s", inner$origin);
+	}
+
+event teredo_packet(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("packet", outer, inner);
+	}
+
+event teredo_authentication(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("auth", outer, inner);
+	}
+
+event teredo_origin_indication(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("origin", outer, inner);
+	}
+
+event teredo_bubble(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("bubble", outer, inner);
+	}

testing/btest/core/tunnels/ayiya.test

@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/ayiya3.trace
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log

testing/btest/core/tunnels/false-teredo.bro

@@ -0,0 +1,34 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap %INPUT >output
+# @TEST-EXEC: test ! -e weird.log
+# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap %INPUT Tunnel::yielding_teredo_decapsulation=F >output
+# @TEST-EXEC: btest-diff weird.log
+
+function print_teredo(name: string, outer: connection, inner: teredo_hdr)
+	{
+	print fmt("%s: %s", name, outer$id);
+	print fmt("    ip6: %s", inner$hdr$ip6);
+	if ( inner?$auth )
+		print fmt("    auth: %s", inner$auth);
+	if ( inner?$origin )
+		print fmt("    origin: %s", inner$origin);
+	}
+
+event teredo_packet(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("packet", outer, inner);
+	}
+
+event teredo_authentication(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("auth", outer, inner);
+	}
+
+event teredo_origin_indication(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("origin", outer, inner);
+	}
+
+event teredo_bubble(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("bubble", outer, inner);
+	}

testing/btest/core/tunnels/ip-in-ip.test

@@ -0,0 +1,30 @@
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in6.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in6in6.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in4.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/4in6.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/4in4.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in6-tunnel-change.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: btest-diff output
+
+event new_connection(c: connection)
+	{
+	if ( c?$tunnel )
+		{
+		print "new_connection: tunnel";
+		print fmt("    conn_id: %s", c$id);
+		print fmt("    encap: %s", c$tunnel);
+		}
+	else
+		{
+		print "new_connection: no tunnel";
+		}
+	}
+
+event tunnel_changed(c: connection, e: EncapsulatingConnVector)
+	{
+	print "tunnel_changed:";
+	print fmt("    conn_id: %s", c$id);
+	if ( c?$tunnel )
+		print fmt("    old: %s", c$tunnel);
+	print fmt("    new: %s", e);
+	}

testing/btest/core/tunnels/ip-tunnel-uid.test

@@ -0,0 +1,33 @@
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/ping6-in-ipv4.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: btest-diff output
+
+event new_connection(c: connection)
+	{
+	if ( c?$tunnel )
+		{
+		print "new_connection: tunnel";
+		print fmt("    conn_id: %s", c$id);
+		print fmt("    encap: %s", c$tunnel);
+		}
+	else
+		{
+		print "new_connection: no tunnel";
+		}
+	}
+
+event tunnel_changed(c: connection, e: EncapsulatingConnVector)
+	{
+	print "tunnel_changed:";
+	print fmt("    conn_id: %s", c$id);
+	if ( c?$tunnel )
+		print fmt("    old: %s", c$tunnel);
+	print fmt("    new: %s", e);
+	}
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	print "NEW_PACKET:";
+	print fmt("    %s", c$id);
+	if ( c?$tunnel )
+		print fmt("    %s", c$tunnel);
+	}

testing/btest/core/tunnels/teredo.bro

@@ -0,0 +1,35 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/Teredo.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+
+function print_teredo(name: string, outer: connection, inner: teredo_hdr)
+	{
+	print fmt("%s: %s", name, outer$id);
+	print fmt("    ip6: %s", inner$hdr$ip6);
+	if ( inner?$auth )
+		print fmt("    auth: %s", inner$auth);
+	if ( inner?$origin )
+		print fmt("    origin: %s", inner$origin);
+	}
+
+event teredo_packet(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("packet", outer, inner);
+	}
+
+event teredo_authentication(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("auth", outer, inner);
+	}
+
+event teredo_origin_indication(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("origin", outer, inner);
+	}
+
+event teredo_bubble(outer: connection, inner: teredo_hdr)
+	{
+	print_teredo("bubble", outer, inner);
+	}