Merge branch 'topic/christian/btest-trace-cleanup'

* topic/christian/btest-trace-cleanup: Btests: don't use -C in Zeek invocations that don't actually need it Remove executable file permission bits from a bunch of our pcaps
2025-10-02 06:38:20 +00:00 · 2025-06-09 18:00:33 -07:00 · 2025-06-09 18:00:33 -07:00 · 2f8bbeab1f
commit 2f8bbeab1f
parent 9e2accf016 8b39e59572
117 changed files with 103 additions and 97 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+8.0.0-dev.410 | 2025-06-09 18:00:33 -0700
+
+  * Btests: don't use -C in Zeek invocations that don't actually need it (Christian Kreibich, Corelight)
+
+  * Remove executable file permission bits from a bunch of our pcaps (Christian Kreibich, Corelight)
+
 8.0.0-dev.406 | 2025-06-06 11:45:33 -0700

  * Move initialization of RandTest members to header (Tim Wojtulewicz, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-8.0.0-dev.406
+8.0.0-dev.410
--- a/testing/btest/Traces/dnp3/dnp3_link_only.pcap
+++ b/testing/btest/Traces/dnp3/dnp3_link_only.pcap
--- a/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap
+++ b/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap
--- a/testing/btest/Traces/dnp3/dnp3_udp_read.pcap
+++ b/testing/btest/Traces/dnp3/dnp3_udp_read.pcap
--- a/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap
+++ b/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap
--- a/testing/btest/Traces/dnp3/dnp3_udp_write.pcap
+++ b/testing/btest/Traces/dnp3/dnp3_udp_write.pcap
--- a/testing/btest/Traces/http/content-range-less-than-len.pcap
+++ b/testing/btest/Traces/http/content-range-less-than-len.pcap
--- a/testing/btest/Traces/http/fake-content-length.pcap
+++ b/testing/btest/Traces/http/fake-content-length.pcap
--- a/testing/btest/Traces/http/x-gzip.pcap
+++ b/testing/btest/Traces/http/x-gzip.pcap
--- a/testing/btest/Traces/ipv6-fragmented-dns.trace
+++ b/testing/btest/Traces/ipv6-fragmented-dns.trace
--- a/testing/btest/Traces/ipv6-mobility-dst-opts.trace
+++ b/testing/btest/Traces/ipv6-mobility-dst-opts.trace
--- a/testing/btest/Traces/krb/optional-service-name.pcap
+++ b/testing/btest/Traces/krb/optional-service-name.pcap
--- a/testing/btest/Traces/krb/smb2_krb.pcap
+++ b/testing/btest/Traces/krb/smb2_krb.pcap
--- a/testing/btest/Traces/krb/smb_gssapi.trace
+++ b/testing/btest/Traces/krb/smb_gssapi.trace
--- a/testing/btest/Traces/modbus/4SICS-GeekLounge-151022-min.pcap
+++ b/testing/btest/Traces/modbus/4SICS-GeekLounge-151022-min.pcap
--- a/testing/btest/Traces/syslog-missing-pri.trace
+++ b/testing/btest/Traces/syslog-missing-pri.trace
--- a/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap
--- a/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap
+++ b/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap
--- a/testing/btest/core/erspan.zeek
+++ b/testing/btest/core/erspan.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/erspan.trace %INPUT 
+# @TEST-EXEC: zeek -b -r $TRACES/erspan.trace %INPUT
 # @TEST-EXEC: btest-diff tunnel.log

@load base/frameworks/tunnels
--- a/testing/btest/core/erspanI.zeek
+++ b/testing/btest/core/erspanI.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/erspanI.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/erspanI.pcap %INPUT
 # @TEST-EXEC: btest-diff tunnel.log
 # @TEST-EXEC: btest-diff conn.log

--- a/testing/btest/core/erspanII.zeek
+++ b/testing/btest/core/erspanII.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/erspanII.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/erspanII.pcap %INPUT
 # @TEST-EXEC: btest-diff tunnel.log
 # @TEST-EXEC: btest-diff conn.log

--- a/testing/btest/core/erspanIII.zeek
+++ b/testing/btest/core/erspanIII.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/erspanIII.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/erspanIII.pcap %INPUT
 # @TEST-EXEC: btest-diff tunnel.log
 # @TEST-EXEC: btest-diff conn.log

--- a/testing/btest/core/ether-addrs.zeek
+++ b/testing/btest/core/ether-addrs.zeek
@ -1,5 +1,5 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/wikipedia.trace %INPUT >>output
-# @TEST-EXEC: zeek -C -b -r $TRACES/radiotap.pcap %INPUT >>output
+# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT >>output
+# @TEST-EXEC: zeek -b -r $TRACES/radiotap.pcap %INPUT >>output
 # @TEST-EXEC: btest-diff output

 event new_connection(c: connection)
--- a/testing/btest/core/pcap/read-trace-with-filter.zeek
+++ b/testing/btest/core/pcap/read-trace-with-filter.zeek
@ -1,3 +1,3 @@
-# @TEST-EXEC: zeek -C -r $TRACES/wikipedia.trace -f "port 50000"
+# @TEST-EXEC: zeek -r $TRACES/wikipedia.trace -f "port 50000"
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff packet_filter.log
--- a/testing/btest/core/pppoe-over-qinq.zeek
+++ b/testing/btest/core/pppoe-over-qinq.zeek
@ -1,5 +1,5 @@
 # Disable test temporarily - see GH-4547
 # @TEST-REQUIRES: ! have-spicy-ssl

-# @TEST-EXEC: zeek -C -r $TRACES/pppoe-over-qinq.pcap
+# @TEST-EXEC: zeek -r $TRACES/pppoe-over-qinq.pcap
 # @TEST-EXEC: btest-diff conn.log
--- a/testing/btest/core/reporter-weird-sampling-global.zeek
+++ b/testing/btest/core/reporter-weird-sampling-global.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/wlanmon.pcap %INPUT | sort | uniq -c | awk '{print $1, $2, $3}' >output
+# @TEST-EXEC: zeek -b -r $TRACES/wlanmon.pcap %INPUT | sort | uniq -c | awk '{print $1, $2, $3}' >output
 # @TEST-EXEC: btest-diff output

 # The sampling functionality itself is already tested through other tests.
--- a/testing/btest/core/tunnels/gre-aruba-amsdu.zeek
+++ b/testing/btest/core/tunnels/gre-aruba-amsdu.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 QoS A-MSDU headers. This is testing that the tunnel is detected and that the conn byte size contains both A-MSDU subframe packets.
-# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-amsdu.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-aruba-amsdu.pcap %INPUT
 # @TEST-EXEC: btest-diff tunnel.log
 # @TEST-EXEC: btest-diff conn.log

--- a/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
+++ b/testing/btest/core/tunnels/gre-aruba-ccmp.zeek
@ -1,4 +1,4 @@
 # @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 CCMP headers. This should report a weird about encrypted data.
-# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-ccmp.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-aruba-ccmp.pcap %INPUT

@load base/frameworks/notice/weird
--- a/testing/btest/core/tunnels/gre-aruba.zeek
+++ b/testing/btest/core/tunnels/gre-aruba.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-aruba.pcap %INPUT
 # @TEST-EXEC: btest-diff tunnel.log

@load base/frameworks/tunnels
--- a/testing/btest/core/tunnels/gre-in-gre-min-depth.test
+++ b/testing/btest/core/tunnels/gre-in-gre-min-depth.test
@ -1,3 +1,3 @@
 # @TEST-DOC: Tests that an IP-in-IP tunnel with max-depth set to 1 doesn't crash
-# @TEST-EXEC: zeek -C -r $TRACES/tunnels/gre-within-gre.pcap Tunnel::max_depth=1
+# @TEST-EXEC: zeek -r $TRACES/tunnels/gre-within-gre.pcap Tunnel::max_depth=1
 # @TEST-EXEC: btest-diff weird.log
--- a/testing/btest/core/tunnels/gtp/unknown_or_too_short.test
+++ b/testing/btest/core/tunnels/gtp/unknown_or_too_short.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap %INPUT
 # @TEST-EXEC: btest-diff analyzer.log
 # @TEST-EXEC: btest-diff tunnel.log

--- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/enable-disable.zeek
+++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/enable-disable.zeek
@ -1,5 +1,5 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/pe/pe.trace %INPUT >out
-# @TEST-EXEC: zeek -C -b -r $TRACES/pe/pe.trace %INPUT disable_it=T >>out
+# @TEST-EXEC: zeek -b -r $TRACES/pe/pe.trace %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/pe/pe.trace %INPUT disable_it=T >>out
 # @TEST-EXEC: btest-diff out

@load base/protocols/ftp
--- a/testing/btest/scripts/base/frameworks/storage/redis-expiration.zeek
+++ b/testing/btest/scripts/base/frameworks/storage/redis-expiration.zeek
@ -4,7 +4,7 @@
 # @TEST-PORT: REDIS_PORT

 # @TEST-EXEC: btest-bg-run redis-server run-redis-server ${REDIS_PORT%/tcp}
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -B storage -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -B storage -b -r - %INPUT > out
 # @TEST-EXEC: btest-bg-wait -k 1

 # @TEST-EXEC: btest-diff out
--- a/testing/btest/scripts/base/frameworks/storage/sqlite-basic-reading-pcap.zeek
+++ b/testing/btest/scripts/base/frameworks/storage/sqlite-basic-reading-pcap.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Tests that sqlite async works fine while reading pcaps
-# @TEST-EXEC: zeek -C -r $TRACES/http/get.trace %INPUT > out
+# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT > out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr

--- a/testing/btest/scripts/base/frameworks/storage/sqlite-expiration.zeek
+++ b/testing/btest/scripts/base/frameworks/storage/sqlite-expiration.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Automatic expiration of stored data
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr

--- a/testing/btest/scripts/base/frameworks/telemetry/basic.zeek
+++ b/testing/btest/scripts/base/frameworks/telemetry/basic.zeek
@ -2,7 +2,7 @@
 # Not compilable to C++ due to globals being initialized to a record that
 # has an opaque type as a field.
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC-FAIL: test -f reporter.log

--- a/testing/btest/scripts/base/frameworks/telemetry/conn-duration-histogram.zeek
+++ b/testing/btest/scripts/base/frameworks/telemetry/conn-duration-histogram.zeek
@ -1,7 +1,7 @@
 # Not compilable to C++ due to globals being initialized to a record that
 # has an opaque type as a field.
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC-FAIL: test -f reporter.log

--- a/testing/btest/scripts/base/frameworks/telemetry/event-handler-invocations.zeek
+++ b/testing/btest/scripts/base/frameworks/telemetry/event-handler-invocations.zeek
@ -3,7 +3,7 @@
 # Not compilable to C++ due to globals being initialized to a record that
 # has an opaque type as a field.
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC-FAIL: test -f reporter.log

--- a/testing/btest/scripts/base/frameworks/telemetry/internal-metrics.zeek
+++ b/testing/btest/scripts/base/frameworks/telemetry/internal-metrics.zeek
@ -2,7 +2,7 @@
 # Not compilable to C++ due to globals being initialized to a record that
 # has an opaque type as a field.
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
-# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out
+# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -r - %INPUT > out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC-FAIL: test -f reporter.log

--- a/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Pcap does not contain close requests for the involved fids (filtered out with wireshark)
-# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids-no-close.pcap %INPUT >out
+# @TEST-EXEC: zeek -r $TRACES/dce-rpc/20-fids-no-close.pcap %INPUT >out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Ensure dce_rpc_backing state stays bounded when pipes are closed properly.
-# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids.pcap %INPUT >out
+# @TEST-EXEC: zeek -r $TRACES/dce-rpc/20-fids.pcap %INPUT >out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: test ! -f weird.log

--- a/testing/btest/scripts/base/protocols/dns/dns-edns-cookie.zeek
+++ b/testing/btest/scripts/base/protocols/dns/dns-edns-cookie.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dns-edns-cookie.pcap %INPUT > output
+# @TEST-EXEC: zeek -r $TRACES/dns-edns-cookie.pcap %INPUT > output
 # @TEST-EXEC: btest-diff output
@load policy/protocols/dns/auth-addl

--- a/testing/btest/scripts/base/protocols/dns/dns-edns-tcp-keepalive.zeek
+++ b/testing/btest/scripts/base/protocols/dns/dns-edns-tcp-keepalive.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dns-edns-tcp-keepalive.pcap %INPUT > output
+# @TEST-EXEC: zeek -r $TRACES/dns-edns-tcp-keepalive.pcap %INPUT > output
 # @TEST-EXEC: btest-diff output
@load policy/protocols/dns/auth-addl

--- a/testing/btest/scripts/base/protocols/dns/https.zeek
+++ b/testing/btest/scripts/base/protocols/dns/https.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -r $TRACES/dns-https.pcap %INPUT > output
+# @TEST-EXEC: zeek -r $TRACES/dns-https.pcap %INPUT > output
 # @TEST-EXEC: btest-diff output

@load policy/protocols/dns/auth-addl
--- a/testing/btest/scripts/base/protocols/http/curl-http-09.zeek
+++ b/testing/btest/scripts/base/protocols/http/curl-http-09.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: curl --http0.9 to accept the headerless response.
-# @TEST-EXEC: zeek -b -Cr $TRACES/http/curl_http_09.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/curl_http_09.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: test ! -f weird.log

--- a/testing/btest/scripts/base/protocols/http/http-09.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-09.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Artificially created PCAP with one proper HTTP 0.9 request/response and a few invalid ones.
-# @TEST-EXEC: zeek -b -Cr $TRACES/http/http_09.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/http_09.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/http/http-dpd-large-req.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-dpd-large-req.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -C -b -r $TRACES/http/http_large_req_8001.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r $TRACES/http/http_large_req_8001.pcap %INPUT >output
 # @TEST-EXEC: btest-diff output
 # 
 # @TEST-DOC: Tests our DPD signatures with a session where one side exceeds the DPD buffer size.
--- a/testing/btest/scripts/base/protocols/http/no-version.zeek
+++ b/testing/btest/scripts/base/protocols/http/no-version.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -b -Cr $TRACES/http/no-version.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/no-version.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log

@load base/protocols/http
--- a/testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek
+++ b/testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -b -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/percent-end-of-line.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/http/version-mismatch.zeek
+++ b/testing/btest/scripts/base/protocols/http/version-mismatch.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Pcap extracted from 2009-M57-day11-18.trace: The server replies with HTTP/1.1, then HTTP/1.0 (also different Server headers).
-# @TEST-EXEC: zeek -b -Cr $TRACES/http/version-mismatch.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/version-mismatch.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/ldap/add.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/add.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-add.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/ldap-add.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
--- a/testing/btest/scripts/base/protocols/ldap/aduser1.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/aduser1.zeek
@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/aduser1.pcap %INPUT
 # @TEST-EXEC: mkdir krb && mv *.log krb
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1-ntlm.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/aduser1-ntlm.pcap %INPUT
 # @TEST-EXEC: mkdir ntlm && mv *.log ntlm
 # @TEST-EXEC: btest-diff krb/ldap.log
 # @TEST-EXEC: btest-diff krb/ldap_search.log
--- a/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-ntlm.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/sasl-ntlm.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
--- a/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-scram-sha-512.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/sasl-scram-sha-512.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
--- a/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-srp-who-am-i.pcap %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/sasl-srp-who-am-i.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
--- a/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek
@ -5,7 +5,7 @@
 # at https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
--- a/testing/btest/scripts/base/protocols/ldap/starttls.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/starttls.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-starttls.pcap %INPUT >out
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/ldap-starttls.pcap %INPUT >out
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff conn.log
--- a/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek
@ -1,7 +1,7 @@
 # Copyright (c) 2024 by the Zeek Project. See LICENSE for details.

 # @TEST-REQUIRES: have-spicy
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-who-am-i.pcap %INPUT >out
+# @TEST-EXEC: zeek -r ${TRACES}/ldap/ldap-who-am-i.pcap %INPUT >out
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff conn.log
--- a/testing/btest/scripts/base/protocols/pop3/basic.zeek
+++ b/testing/btest/scripts/base/protocols/pop3/basic.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: Ensure basic POP3 functionality.
-# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/pop3.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/pop3/pop3.pcap %INPUT >out
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: test ! -f weird.log
--- a/testing/btest/scripts/base/protocols/pop3/redis.zeek
+++ b/testing/btest/scripts/base/protocols/pop3/redis.zeek
@ -1,5 +1,5 @@
 # @TEST-DOC: The POP3 signature triggered on Redis traffic. Ensure the analyzer is eventually removed to avoid.
-# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/redis-50-pings.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/pop3/redis-50-pings.pcap %INPUT >out
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff weird.log
--- a/testing/btest/scripts/base/protocols/postgresql/dump-events.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/dump-events.zeek
@ -1,8 +1,8 @@
 # @TEST-DOC: Test that misc/dump events works.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >>output
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap %INPUT >>output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-select-now.pcap %INPUT >>output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap %INPUT >>output
 #
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test rejecting wrong protocol.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/http-on-port-5432.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/http-on-port-5432.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < analyzer_debug.log > analyzer.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test rejecting wrong protocol.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/mysql-on-port-5432.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/mysql-on-port-5432.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < analyzer_debug.log > analyzer.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test the parameter status event.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
 #
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
 #
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that the dpd.sig picks up a plaintext connection on a non-standard port.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable-15432.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-aws-ssl-disable-15432.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable.pcap %INPUT
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-aws-ssl-disable.pcap %INPUT
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that the dpd.sig picks up the SSLRequest and server response on a non-standard port.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require-15432.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-aws-ssl-require-15432.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
--- a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require.pcap %INPUT
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-aws-ssl-require.pcap %INPUT
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
--- a/testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Trace with CREATE TABLE, INSERT, SELECT DELETE and DROP.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-create-insert-select-delete-drop.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-create-insert-select-delete-drop.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap ${PACKAGE} %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap ${PACKAGE} %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-fail.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-login-fail.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: The client does not start with SSLRequest. This pcap has two connections, attempting without password.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
 # @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
 # @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
 #
--- a/testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Event for name, value pairs in the startup message.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
 #
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek
+++ b/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test the order of analyzer confirmations for QUIC and SSL, QUIC should come first.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap %INPUT >out
+# @TEST-EXEC: zeek -r $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap %INPUT >out
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out
 # @TEST-EXEC: btest-diff conn.log.cut
--- a/testing/btest/scripts/base/protocols/quic/chromium.zeek
+++ b/testing/btest/scripts/base/protocols/quic/chromium.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that runs the pcap

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/decrypt-fail-google-de-51833.zeek
+++ b/testing/btest/scripts/base/protocols/quic/decrypt-fail-google-de-51833.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: PCAP for which decryption failed due to not using the initial destination connection ID consistently.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quic-decrypt-fail-google-de-51833.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quic-decrypt-fail-google-de-51833.pcap base/protocols/quic
 # @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f dpd.log
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
--- a/testing/btest/scripts/base/protocols/quic/events.zeek
+++ b/testing/btest/scripts/base/protocols/quic/events.zeek
@ -1,9 +1,9 @@
 # @TEST-DOC: Supported events so far.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/retry.pcap base/protocols/quic %INPUT >out
+# @TEST-EXEC: zeek -r $TRACES/quic/interop/quic-go_quic-go/retry.pcap base/protocols/quic %INPUT >out
 # @TEST-EXEC: echo "zerortt.pcap" >>out
-# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/zerortt.pcap base/protocols/quic %INPUT >>out
+# @TEST-EXEC: zeek -r $TRACES/quic/interop/quic-go_quic-go/zerortt.pcap base/protocols/quic %INPUT >>out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff .stderr
 #
--- a/testing/btest/scripts/base/protocols/quic/firefox.zeek
+++ b/testing/btest/scripts/base/protocols/quic/firefox.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that runs the pcap

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/firefox-102.13.0esr-blog-cloudflare-com.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/firefox-102.13.0esr-blog-cloudflare-com.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/handshake.zeek
+++ b/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/handshake.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test interop pcap containing RETRY packet from server side.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/handshake.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/interop/quic-go_quic-go/handshake.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/retry.zeek
+++ b/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/retry.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test interop pcap containing RETRY packet from server side.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/retry.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/interop/quic-go_quic-go/retry.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/zerortt.zeek
+++ b/testing/btest/scripts/base/protocols/quic/interop/quic-go_quic-go/zerortt.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that client initiating connection using 0RTT packet doesn't cause analyzer errors trying to decrypt server side.
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/interop/quic-go_quic-go/zerortt.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/interop/quic-go_quic-go/zerortt.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/max-history-length.zeek
+++ b/testing/btest/scripts/base/protocols/quic/max-history-length.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that runs the pcap
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/firefox-102.13.0esr-blog-cloudflare-com.pcap base/protocols/quic QUIC::max_history_length=3
+# @TEST-EXEC: zeek -r $TRACES/quic/firefox-102.13.0esr-blog-cloudflare-com.pcap base/protocols/quic QUIC::max_history_length=3
 # @TEST-EXEC: zeek-cut -m ts uid history < quic.log > quic.log.cut
 # @TEST-EXEC: btest-diff quic.log.cut
 # @TEST-EXEC: btest-diff weird.log
--- a/testing/btest/scripts/base/protocols/quic/multiple-initial-fragmented-crypto-only-initial.zeek
+++ b/testing/btest/scripts/base/protocols/quic/multiple-initial-fragmented-crypto-only-initial.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Pcap with CRYPTO frames fragemented over multiple INITIAL packets. The pcap only contains 3 INITIAL packets. Check what logs are created.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quic-multiple-initial-fragmented-crypto-only-initial.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quic-multiple-initial-fragmented-crypto-only-initial.pcap base/protocols/quic
 # @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f dpd.log
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
--- a/testing/btest/scripts/base/protocols/quic/multiple-initial-fragmented-crypto.zeek
+++ b/testing/btest/scripts/base/protocols/quic/multiple-initial-fragmented-crypto.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Pcap with CRYPTO frames fragemented over multiple INITIAL packets.

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quic-multiple-initial-fragmented-crypto.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quic-multiple-initial-fragmented-crypto.pcap base/protocols/quic
 # @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f dpd.log
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
--- a/testing/btest/scripts/base/protocols/quic/quicdoq.zeek
+++ b/testing/btest/scripts/base/protocols/quic/quicdoq.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Pcap with dns-over-quic lookup using https://github.com/private-octopus/quicdoq

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quicdoq.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quicdoq.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/quicv2-echo-443.zeek
+++ b/testing/btest/scripts/base/protocols/quic/quicv2-echo-443.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Pcap with quicv2 echo traffic produced with https://raw.githubusercontent.com/quic-go/quic-go/master/example/echo/echo.go
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quicv2-echo-443.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quicv2-echo-443.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/quicv2-http3-443.zeek
+++ b/testing/btest/scripts/base/protocols/quic/quicv2-http3-443.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Pcap with quicv2 http3 traffic produced with https://raw.githubusercontent.com/quic-go/quic-go/master/example/main.go
 #
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quicv2-http3-443.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quicv2-http3-443.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/run-pcap.zeek
+++ b/testing/btest/scripts/base/protocols/quic/run-pcap.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that runs the pcap

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/quic_win11_firefox_google.pcap base/protocols/quic
+# @TEST-EXEC: zeek -r $TRACES/quic/quic_win11_firefox_google.pcap base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/quic/vector-max-size-crash.zeek
+++ b/testing/btest/scripts/base/protocols/quic/vector-max-size-crash.zeek
@ -1,7 +1,7 @@
 # @TEST-DOC: Test that runs the pcap

 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
-# @TEST-EXEC: zeek -Cr $TRACES/quic/vector-max-size-crash.pcap base/protocols/quic %INPUT > out
+# @TEST-EXEC: zeek -r $TRACES/quic/vector-max-size-crash.pcap base/protocols/quic %INPUT > out
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: zeek-cut -m ts cause uid analyzer_kind analyzer_name failure_reason < analyzer_debug.log > analyzer_debug.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
--- a/testing/btest/scripts/base/protocols/rdp/rdp-invalid-length.zeek
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-invalid-length.zeek
@ -2,7 +2,7 @@
 # header, ensuring that it throws a binpac exception and reports a notice to
 # analyzer.log. The pcap used is a snippet of a pcap from OSS-Fuzz #57109.

-# @TEST-EXEC: zeek -C -b -r $TRACES/rdp/rdp-invalid-length.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/rdp/rdp-invalid-length.pcap %INPUT
 # @TEST-EXEC: btest-diff analyzer_debug.log

@load frameworks/analyzer/debug-logging.zeek
--- a/Show more
+++ b/Show more