Add conn.log entries for connections with unhandled IP protocols

2025-10-02 06:38:20 +00:00 · 2024-09-10 15:13:11 +02:00 · 2024-09-10 15:13:11 +02:00 · 35ec9733c0
commit 35ec9733c0
parent a96515a2e8
422 changed files with 97715 additions and 97282 deletions
--- a/scripts/base/frameworks/notice/weird.zeek
+++ b/scripts/base/frameworks/notice/weird.zeek
@ -448,7 +448,8 @@ event flow_weird(name: string, src: addr, dst: addr, addl: string, source: strin
 	# We add the source and destination as port 0/unknown because that is
 	# what fits best here.
 	local id = conn_id($orig_h=src, $orig_p=count_to_port(0, unknown_transport),
-	                   $resp_h=dst, $resp_p=count_to_port(0, unknown_transport));
+	                   $resp_h=dst, $resp_p=count_to_port(0, unknown_transport),
+	                   $proto=256);

 	local i = Info($ts=network_time(), $name=name, $id=id, $identifier=flow_id_string(src,dst));

--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -213,11 +213,12 @@ type transport_proto: enum {
 ##    see :ref:`the manual's description of the connection record
 ##    <writing-scripts-connection-record>`.
 type conn_id: record {
-	orig_h: addr;	##< The originator's IP address.
-	orig_p: port;	##< The originator's port number.
-	resp_h: addr;	##< The responder's IP address.
-	resp_p: port;	##< The responder's port number.
-} &log;
+	orig_h: addr &log;	##< The originator's IP address.
+	orig_p: port &log;	##< The originator's port number.
+	resp_h: addr &log;	##< The responder's IP address.
+	resp_p: port &log;	##< The responder's port number.
+	proto: count;
+};

 ## The identifying 4-tuple of a uni-directional flow.
 ##
@ -1300,21 +1301,27 @@ const non_analyzed_lifetime = 0 secs &redef;
 ## If a TCP connection is inactive, time it out after this interval. If 0 secs,
 ## then don't time it out.
 ##
-## .. zeek:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
+## .. zeek:see:: udp_inactivity_timeout icmp_inactivity_timeout unknown_ip_inactivity_timeout set_inactivity_timeout
 const tcp_inactivity_timeout = 5 min &redef;

 ## If a UDP flow is inactive, time it out after this interval. If 0 secs, then
 ## don't time it out.
 ##
-## .. zeek:see:: tcp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
+## .. zeek:see:: tcp_inactivity_timeout icmp_inactivity_timeout unknown_ip_inactivity_timeout set_inactivity_timeout
 const udp_inactivity_timeout = 1 min &redef;

 ## If an ICMP flow is inactive, time it out after this interval. If 0 secs, then
 ## don't time it out.
 ##
-## .. zeek:see:: tcp_inactivity_timeout udp_inactivity_timeout set_inactivity_timeout
+## .. zeek:see:: tcp_inactivity_timeout udp_inactivity_timeout unknown_ip_inactivity_timeout set_inactivity_timeout
 const icmp_inactivity_timeout = 1 min &redef;

+## If a flow with an unknown IP-based protocol is inactive, time it out after
+## this interval. If 0 secs, then don't time it out.
+##
+## .. zeek:see:: tcp_inactivity_timeout udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
+const unknown_ip_inactivity_timeout = 1 min &redef;
+
 ## Number of FINs/RSTs in a row that constitute a "storm". Storms are reported
 ## as ``weird`` via the notice framework, and they must also come within
 ## intervals of at most :zeek:see:`tcp_storm_interarrival_thresh`.
--- a/scripts/base/packet-protocols/ip/main.zeek
+++ b/scripts/base/packet-protocols/ip/main.zeek
@ -1,5 +1,10 @@
 module PacketAnalyzer::IP;

+export {
+	## Default analyzer
+	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_UNKNOWN_IP_TRANSPORT &redef;
+}
+
 const IPPROTO_TCP : count = 6;
 const IPPROTO_UDP : count = 17;
 const IPPROTO_ICMP : count = 1;
--- a/scripts/base/protocols/conn/main.zeek
+++ b/scripts/base/protocols/conn/main.zeek
@ -158,6 +158,9 @@ export {
 		## *uid* values for any encapsulating parent connections
 		## used over the lifetime of this inner connection.
 		tunnel_parents: set[string] &log &optional;
+		## The numeric identifier for the transport protocol for this
+		## connection.
+		protocol_id:   count      &log &optional;
 	};

 	## Event that can be handled to access the :zeek:type:`Conn::Info`
@ -281,6 +284,8 @@ function set_conn(c: connection, eoc: bool)
 		if ( c$history != "" )
 			c$conn$history=c$history;
 		}
+
+	c$conn$protocol_id = c$id$proto;
 	}

 event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
--- a/scripts/policy/protocols/conn/protocol-strings.zeek
+++ b/scripts/policy/protocols/conn/protocol-strings.zeek
@ -0,0 +1,167 @@
+##! This script adds a string version of the protocol_id field
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Info += {
+	## A string version of the protocol_id field
+	protocol_name: string &log &optional;
+};
+
+global protocol_names: table[count] of string = {
+	[0] = "hopopt",
+	[1] = "icmp",
+	[2] = "igmp",
+	[3] = "ggp",
+	[4] = "ip-in-ip",
+	[5] = "st",
+	[6] = "tcp",
+	[7] = "cbt",
+	[8] = "egp",
+	[9] = "igp",
+	[10] = "bbc-rcc-mon",
+	[11] = "nvp-ii",
+	[12] = "pup",
+	[13] = "argus",
+	[14] = "emcon",
+	[15] = "xnet",
+	[16] = "chaos",
+	[17] = "udp",
+	[18] = "mux",
+	[19] = "dcn-meas",
+	[20] = "hmp",
+	[21] = "prm",
+	[22] = "xns-idp",
+	[23] = "trunk-1",
+	[24] = "trunk-2",
+	[25] = "leaf-1",
+	[26] = "leaf-2",
+	[27] = "rdp",
+	[28] = "irtp",
+	[29] = "iso-tp4",
+	[30] = "netblt",
+	[31] = "mfe-nsp",
+	[32] = "merit-inp",
+	[33] = "dccp",
+	[34] = "3pc",
+	[35] = "idpr",
+	[36] = "xtp",
+	[37] = "ddp",
+	[38] = "idpr-cmtp",
+	[39] = "tp++",
+	[40] = "il",
+	[41] = "ipv6",
+	[42] = "sdrp",
+	[43] = "ipv6-route",
+	[44] = "ipv6-frag",
+	[45] = "idrp",
+	[46] = "rsvp",
+	[47] = "gre",
+	[48] = "dsr",
+	[49] = "bna",
+	[50] = "esp",
+	[51] = "ah",
+	[52] = "i-nlsp",
+	[53] = "swipe",
+	[54] = "narp",
+	[55] = "mobile",
+	[56] = "tlsp",
+	[57] = "skip",
+	[58] = "ipv6-icmp",
+	[59] = "ipv6-nonxt",
+	[60] = "ipv6-opts",
+	[61] = "host-protocol",  # Any host internal protocol
+	[62] = "cftp",
+	[63] = "local-network",  # Any local network
+	[64] = "sat-expak",
+	[65] = "kryptolan",
+	[66] = "rvd",
+	[67] = "ippc",
+	[68] = "distributed-files",  # Any distributed file system
+	[69] = "sat-on",
+	[70] = "visa",
+	[71] = "ipcu",
+	[72] = "cpnx",
+	[73] = "cphb",
+	[74] = "wsn",
+	[75] = "pvp",
+	[76] = "br-sat-mon",
+	[77] = "sun-and",
+	[78] = "wb-mon",
+	[79] = "wb-expak",
+	[80] = "iso-ip",
+	[81] = "vmtp",
+	[82] = "secure-vmtp",
+	[83] = "vines",
+	[84] = "ttp or iptm",  # TTP was obsoleted in 3/2023, replaced with IGTM
+	[85] = "nsfnet-igp",
+	[86] = "dgp",
+	[87] = "tcf",
+	[88] = "eigrp",
+	[89] = "ospf",
+	[90] = "sprite-rpc",
+	[91] = "larp",
+	[92] = "mtp",
+	[93] = "ax.25",
+	[94] = "os",
+	[95] = "micp",
+	[96] = "scc-sp",
+	[97] = "etherip",
+	[98] = "encap",
+	[99] = "private-encryption",  # Any private encryption scheme
+	[100] = "gtmp",
+	[101] = "ifmp",
+	[102] = "pnni",
+	[103] = "pim",
+	[104] = "aris",
+	[105] = "scps",
+	[106] = "qnx",
+	[107] = "a/n",
+	[108] = "ipcomp",
+	[109] = "snp",
+	[110] = "compaq-peer",
+	[111] = "ipx-in-ip",
+	[112] = "vrrp",
+	[113] = "pgm",
+	[114] = "zero-hop", # Any 0-hop protocol
+	[115] = "l2tp",
+	[116] = "ddx",
+	[117] = "iatp",
+	[118] = "stp",
+	[119] = "srp",
+	[120] = "uti",
+	[121] = "smp",
+	[122] = "sm",
+	[123] = "ptp",
+	[124] = "is-is-over-ipv4",
+	[125] = "fire",
+	[126] = "crtp",
+	[127] = "crudp",
+	[128] = "sccopmce",
+	[129] = "iplt",
+	[130] = "sps",
+	[131] = "pipe",
+	[132] = "sctp",
+	[133] = "fc",
+	[134] = "rsvp-e2e-ignore",
+	[135] = "mobility-header",
+	[136] = "udplite",
+	[137] = "mpls-in-ip",
+	[138] = "manet",
+	[139] = "hip",
+	[140] = "shim6",
+	[141] = "wesp",
+	[142] = "rohc",
+	[143] = "ethernet",
+	[144] = "aggfrag",
+	[145] = "nsh"
+};
+
+event connection_state_remove(c: connection) {
+	if ( c$conn$protocol_id in protocol_names ) {
+		c$conn$protocol_name = protocol_names[c$conn$protocol_id];
+	} else {
+		c$conn$protocol_name = "unknown";
+	}
+}
--- a/scripts/policy/protocols/dhcp/software.zeek
+++ b/scripts/policy/protocols/dhcp/software.zeek
@ -45,7 +45,8 @@ event DHCP::log_dhcp(rec: DHCP::Info)
 		local id: conn_id = [$orig_h=rec$assigned_addr,
 		                     $orig_p=rec$client_port,
 		                     $resp_h=rec$server_addr,
-		                     $resp_p=rec$server_port];
+		                     $resp_p=rec$server_port,
+				     $proto=17]; # DHCP is typically UDP

 		if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
 			{
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@ -95,6 +95,7 @@
@load protocols/conn/known-hosts.zeek
@load protocols/conn/known-services.zeek
@load protocols/conn/mac-logging.zeek
+@load protocols/conn/protocol-strings.zeek
@load protocols/conn/vlan-logging.zeek
@load protocols/conn/weirds.zeek
 #@load protocols/conn/speculative-service.zeek
--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -33,7 +33,15 @@ Connection::Connection(const detail::ConnKey& k, double t, const ConnTuple* id,
    resp_addr = id->dst_addr;
    orig_port = id->src_port;
    resp_port = id->dst_port;
-    proto = TRANSPORT_UNKNOWN;
+
+    switch ( id->proto ) {
+        case IPPROTO_TCP: proto = TRANSPORT_TCP; break;
+        case IPPROTO_UDP: proto = TRANSPORT_UDP; break;
+        case IPPROTO_ICMP:
+        case IPPROTO_ICMPV6: proto = TRANSPORT_ICMP; break;
+        default: proto = TRANSPORT_UNKNOWN; break;
+    }
+
    orig_flow_label = flow;
    resp_flow_label = 0;
    saw_first_orig_packet = 1;
@ -187,6 +195,7 @@ const RecordValPtr& Connection::GetVal() {
        id_val->Assign(1, val_mgr->Port(ntohs(orig_port), prot_type));
        id_val->Assign(2, make_intrusive<AddrVal>(resp_addr));
        id_val->Assign(3, val_mgr->Port(ntohs(resp_port), prot_type));
+        id_val->Assign(4, KeyProto());

        auto orig_endp = make_intrusive<RecordVal>(id::endpoint);
        orig_endp->Assign(0, 0);
--- a/src/Conn.h
+++ b/src/Conn.h
@ -60,7 +60,7 @@ struct ConnTuple {
    uint32_t src_port = 0;
    uint32_t dst_port = 0;
    bool is_one_way = false; // if true, don't canonicalize order
-    TransportProto proto = TRANSPORT_UNKNOWN;
+    uint8_t proto;
 };

 static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) {
@ -135,6 +135,8 @@ public:
            return "unknown";
    }

+    uint8_t KeyProto() const { return key.transport; }
+
    // Returns true if the packet reflects a reuse of this
    // connection (i.e., not a continuation but the beginning of
    // a new connection).
--- a/src/IPAddr.cc
+++ b/src/IPAddr.cc
@ -20,9 +20,9 @@ const IPAddr IPAddr::v6_unspecified = IPAddr();

 namespace detail {

-ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, TransportProto t,
+ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint8_t proto,
                 bool one_way) {
-    Init(src, dst, src_port, dst_port, t, one_way);
+    Init(src, dst, src_port, dst_port, proto, one_way);
 }

 ConnKey::ConnKey(const ConnTuple& id) {
@ -60,12 +60,14 @@ ConnKey::ConnKey(Val* v) {

    int orig_h, orig_p; // indices into record's value list
    int resp_h, resp_p;
+    uint8_t proto;

    if ( vr == id::conn_id ) {
        orig_h = 0;
        orig_p = 1;
        resp_h = 2;
        resp_p = 3;
+        proto = 4;
    }
    else {
        // While it's not a conn_id, it may have equivalent fields.
@ -73,13 +75,14 @@ ConnKey::ConnKey(Val* v) {
        resp_h = vr->FieldOffset("resp_h");
        orig_p = vr->FieldOffset("orig_p");
        resp_p = vr->FieldOffset("resp_p");
+        proto = vr->FieldOffset("proto");

-        if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 ) {
+        if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 || proto < 0 ) {
            valid = false;
            return;
        }

-        // ### we ought to check that the fields have the right
+        // TODO we ought to check that the fields have the right
        // types, too.
    }

@ -89,11 +92,13 @@ ConnKey::ConnKey(Val* v) {
    auto orig_portv = vl->GetFieldAs<PortVal>(orig_p);
    auto resp_portv = vl->GetFieldAs<PortVal>(resp_p);

+    auto protov = vl->GetFieldAs<CountVal>(proto);
+
    Init(orig_addr, resp_addr, htons((unsigned short)orig_portv->Port()), htons((unsigned short)resp_portv->Port()),
-         orig_portv->PortType(), false);
+         protov, false);
 }

-void ConnKey::Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, TransportProto t,
+void ConnKey::Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint8_t proto,
                   bool one_way) {
    // Because of padding in the object, this needs to memset to clear out
    // the extra memory used by padding. Otherwise, the session key stuff
@ -116,7 +121,7 @@ void ConnKey::Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint
        port2 = src_port;
    }

-    transport = t;
+    transport = proto;
    valid = true;
 }

--- a/src/IPAddr.h
+++ b/src/IPAddr.h
@ -28,10 +28,10 @@ public:
    in6_addr ip2;
    uint16_t port1 = 0;
    uint16_t port2 = 0;
-    TransportProto transport = TRANSPORT_UNKNOWN;
+    uint8_t transport;
    bool valid = true;

-    ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, TransportProto t, bool one_way);
+    ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint8_t proto, bool one_way);
    ConnKey(const ConnTuple& conn);
    ConnKey(const ConnKey& rhs) { *this = rhs; }
    ConnKey(Val* v);
@ -46,8 +46,7 @@ public:
    ConnKey& operator=(const ConnKey& rhs);

 private:
-    void Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, TransportProto t,
-              bool one_way);
+    void Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint8_t proto, bool one_way);
 };

 } // namespace detail
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@ -135,6 +135,7 @@ double non_analyzed_lifetime;
 double tcp_inactivity_timeout;
 double udp_inactivity_timeout;
 double icmp_inactivity_timeout;
+double unknown_ip_inactivity_timeout;

 int tcp_storm_thresh;
 double tcp_storm_interarrival_thresh;
@ -267,6 +268,7 @@ void init_net_var() {
    tcp_inactivity_timeout = id::find_val("tcp_inactivity_timeout")->AsInterval();
    udp_inactivity_timeout = id::find_val("udp_inactivity_timeout")->AsInterval();
    icmp_inactivity_timeout = id::find_val("icmp_inactivity_timeout")->AsInterval();
+    unknown_ip_inactivity_timeout = id::find_val("unknown_ip_inactivity_timeout")->AsInterval();

    tcp_storm_thresh = id::find_val("tcp_storm_thresh")->AsCount();
    tcp_storm_interarrival_thresh = id::find_val("tcp_storm_interarrival_thresh")->AsInterval();
--- a/src/NetVar.h
+++ b/src/NetVar.h
@ -36,6 +36,7 @@ extern double non_analyzed_lifetime;
 extern double tcp_inactivity_timeout;
 extern double udp_inactivity_timeout;
 extern double icmp_inactivity_timeout;
+extern double unknown_ip_inactivity_timeout;

 extern int tcp_storm_thresh;
 extern double tcp_storm_interarrival_thresh;
--- a/src/TunnelEncapsulation.cc
+++ b/src/TunnelEncapsulation.cc
@ -14,6 +14,7 @@ EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t)
      src_port(c->OrigPort()),
      dst_port(c->RespPort()),
      proto(c->ConnTransport()),
+      proto_id(c->KeyProto()),
      type(t),
      uid(c->GetUID()) {
    if ( ! uid ) {
@ -30,6 +31,7 @@ RecordValPtr EncapsulatingConn::ToVal() const {
    id_val->Assign(1, val_mgr->Port(ntohs(src_port), proto));
    id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
    id_val->Assign(3, val_mgr->Port(ntohs(dst_port), proto));
+    id_val->Assign(4, proto_id);
    rv->Assign(0, std::move(id_val));
    rv->Assign(1, BifType::Enum::Tunnel::Type->GetEnumVal(type));

--- a/src/TunnelEncapsulation.h
+++ b/src/TunnelEncapsulation.h
@ -46,6 +46,7 @@ public:
          src_port(0),
          dst_port(0),
          proto(TRANSPORT_UNKNOWN),
+          proto_id(255),
          type(t),
          uid(UID(detail::bits_per_uid)) {}

@ -70,6 +71,7 @@ public:
          src_port(other.src_port),
          dst_port(other.dst_port),
          proto(other.proto),
+          proto_id(other.proto_id),
          type(other.type),
          uid(other.uid) {}

@ -85,6 +87,7 @@ public:
            src_port = other.src_port;
            dst_port = other.dst_port;
            proto = other.proto;
+            proto_id = other.proto_id;
            type = other.type;
            uid = other.uid;
            ip_hdr = other.ip_hdr;
@ -106,7 +109,7 @@ public:

        if ( ec1.type == BifEnum::Tunnel::IP || ec1.type == BifEnum::Tunnel::GRE )
            // Reversing endpoints is still same tunnel.
-            return ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
+            return ec1.uid == ec2.uid && ec1.proto == ec2.proto && ec1.proto_id == ec2.proto_id &&
                   ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
                    (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));

@ -114,11 +117,13 @@ public:
            // Reversing endpoints is still same tunnel, destination port is
            // always the same.
            return ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
+                   ec1.proto_id == ec2.proto_id &&
                   ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
                    (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));

        return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr && ec1.src_port == ec2.src_port &&
-               ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto;
+               ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
+               ec1.proto_id == ec2.proto_id;
    }

    friend bool operator!=(const EncapsulatingConn& ec1, const EncapsulatingConn& ec2) { return ! (ec1 == ec2); }
@ -132,6 +137,7 @@ protected:
    uint16_t src_port;
    uint16_t dst_port;
    TransportProto proto;
+    uint8_t proto_id;
    BifEnum::Tunnel::Type type;
    UID uid;
 };
--- a/src/event.bif
+++ b/src/event.bif
@ -163,7 +163,8 @@ event connection_timeout%(c: connection%);
 ##    connection_pending connection_rejected connection_reset connection_reused
 ##    connection_status_update connection_timeout scheduled_analyzer_applied
 ##    new_connection new_connection_contents partial_connection udp_inactivity_timeout
-##    tcp_inactivity_timeout icmp_inactivity_timeout conn_stats
+##    tcp_inactivity_timeout icmp_inactivity_timeout unknown_ip_inactivity_timeout
+##    conn_stats
 event connection_state_remove%(c: connection%);

 ## Generated when a connection 4-tuple is reused. This event is raised when Zeek
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@ -33,6 +33,7 @@ static RecordValPtr get_conn_id_val(const Connection* conn) {
    v->Assign(1, val_mgr->Port(ntohs(conn->OrigPort()), conn->ConnTransport()));
    v->Assign(2, make_intrusive<AddrVal>(conn->RespAddr()));
    v->Assign(3, val_mgr->Port(ntohs(conn->RespPort()), conn->ConnTransport()));
+    v->Assign(4, conn->KeyProto());
    return v;
 }

--- a/src/net_util.h
+++ b/src/net_util.h
@ -4,8 +4,10 @@

 #include "zeek/zeek-config.h"

+#include <cstdint>
+
 // Define first.
-enum TransportProto {
+enum TransportProto : uint8_t {
    TRANSPORT_UNKNOWN,
    TRANSPORT_TCP,
    TRANSPORT_UDP,
--- a/src/packet_analysis/Analyzer.h
+++ b/src/packet_analysis/Analyzer.h
@ -252,6 +252,11 @@ protected:
     */
    bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const;

+    /**
+     * Flag for whether to report unknown protocols in ForwardPacket.
+     */
+    bool report_unknown_protocols = true;
+
 private:
    // Internal helper to raise analyzer_confirmation events
    void EnqueueAnalyzerConfirmationInfo(session::Session* session, const zeek::Tag& arg_tag);
@ -270,11 +275,6 @@ private:
    AnalyzerPtr default_analyzer = nullptr;
    bool enabled = true;

-    /**
-     * Flag for whether to report unknown protocols in ForwardPacket.
-     */
-    bool report_unknown_protocols = true;
-
    std::set<AnalyzerPtr> analyzers_to_detect;

    void Init(const zeek::Tag& tag);
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@ -25,6 +25,7 @@ add_subdirectory(udp)
 add_subdirectory(tcp)
 add_subdirectory(icmp)
 add_subdirectory(vntag)
+add_subdirectory(unknown_ip_transport)

 add_subdirectory(gre)
 add_subdirectory(iptunnel)
--- a/src/packet_analysis/protocol/icmp/ICMP.cc
+++ b/src/packet_analysis/protocol/icmp/ICMP.cc
@ -40,7 +40,7 @@ bool ICMPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packe

    tuple.src_addr = packet->ip_hdr->SrcAddr();
    tuple.dst_addr = packet->ip_hdr->DstAddr();
-    tuple.proto = TRANSPORT_ICMP;
+    tuple.proto = packet->proto;

    const struct icmp* icmpp = (const struct icmp*)data;
    tuple.src_port = htons(icmpp->icmp_type);
@ -312,6 +312,7 @@ zeek::RecordValPtr ICMPAnalyzer::ExtractICMP4Context(int len, const u_char*& dat
    id_val->Assign(1, val_mgr->Port(src_port, proto));
    id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
    id_val->Assign(3, val_mgr->Port(dst_port, proto));
+    id_val->Assign(4, IPPROTO_ICMP);

    iprec->Assign(0, std::move(id_val));
    iprec->Assign(1, val_mgr->Count(ip_len));
@ -368,6 +369,7 @@ zeek::RecordValPtr ICMPAnalyzer::ExtractICMP6Context(int len, const u_char*& dat
    id_val->Assign(1, val_mgr->Port(src_port, proto));
    id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
    id_val->Assign(3, val_mgr->Port(dst_port, proto));
+    id_val->Assign(4, IPPROTO_ICMPV6);

    iprec->Assign(0, std::move(id_val));
    iprec->Assign(1, val_mgr->Count(ip_len));
--- a/src/packet_analysis/protocol/tcp/TCP.cc
+++ b/src/packet_analysis/protocol/tcp/TCP.cc
@ -42,7 +42,7 @@ bool TCPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet
    tuple.src_port = tp->th_sport;
    tuple.dst_port = tp->th_dport;
    tuple.is_one_way = false;
-    tuple.proto = TRANSPORT_TCP;
+    tuple.proto = packet->proto;

    return true;
 }
--- a/src/packet_analysis/protocol/udp/UDP.cc
+++ b/src/packet_analysis/protocol/udp/UDP.cc
@ -66,7 +66,7 @@ bool UDPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet
    tuple.src_port = up->uh_sport;
    tuple.dst_port = up->uh_dport;
    tuple.is_one_way = false;
-    tuple.proto = TRANSPORT_UDP;
+    tuple.proto = packet->proto;

    return true;
 }
--- a/src/packet_analysis/protocol/unknown_ip_transport/CMakeLists.txt
+++ b/src/packet_analysis/protocol/unknown_ip_transport/CMakeLists.txt
@ -0,0 +1 @@
+zeek_add_plugin(Zeek UnknownIP SOURCES UnknownIPTransport.cc UnknownIPSessionAdapter.cc Plugin.cc)
--- a/src/packet_analysis/protocol/unknown_ip_transport/Plugin.cc
+++ b/src/packet_analysis/protocol/unknown_ip_transport/Plugin.cc
@ -0,0 +1,28 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/analyzer/Component.h"
+#include "zeek/packet_analysis/Component.h"
+
+#include "packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.h"
+
+namespace zeek::plugin::Zeek_Unknown_IP_Transport {
+
+class Plugin final : public zeek::plugin::Plugin {
+public:
+    zeek::plugin::Configuration Configure() override {
+        AddComponent(new zeek::packet_analysis::
+                         Component("Unknown_IP_Transport",
+                                   zeek::packet_analysis::UnknownIPTransport::UnknownIPTransportAnalyzer::Instantiate));
+        AddComponent(new zeek::analyzer::Component("Unknown_IP_Transport", nullptr, 0, true, false, true));
+
+        zeek::plugin::Configuration config;
+        config.name = "Zeek::Unknown_IP_Transport";
+        config.description = "Packet analyzer for unknown IP protocols";
+        return config;
+    }
+
+} plugin;
+
+} // namespace zeek::plugin::Zeek_Unknown_IP_Transport
--- a/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPSessionAdapter.cc
+++ b/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPSessionAdapter.cc
@ -0,0 +1,17 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/unknown_ip_transport/UnknownIPSessionAdapter.h"
+
+#include "zeek/analyzer/Manager.h"
+#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
+
+using namespace zeek::packet_analysis::UnknownIPTransport;
+using namespace zeek::packet_analysis::IP;
+
+void UnknownIPSessionAdapter::AddExtraAnalyzers(Connection* conn) {
+    static zeek::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
+
+    if ( analyzer_mgr->IsEnabled(analyzer_connsize) )
+        // Add ConnSize analyzer. Needs to see packets, not stream.
+        AddChildAnalyzer(new analyzer::conn_size::ConnSize_Analyzer(conn));
+}
--- a/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPSessionAdapter.h
+++ b/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPSessionAdapter.h
@ -0,0 +1,16 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
+
+namespace zeek::packet_analysis::UnknownIPTransport {
+
+class UnknownIPSessionAdapter final : public IP::SessionAdapter {
+public:
+    UnknownIPSessionAdapter(Connection* conn) : IP::SessionAdapter("Unknown_IP_Transport", conn) {}
+
+    void AddExtraAnalyzers(Connection* conn) override;
+};
+
+} // namespace zeek::packet_analysis::UnknownIPTransport
--- a/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.cc
+++ b/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.cc
@ -0,0 +1,63 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.h"
+
+#include "zeek/Conn.h"
+#include "zeek/RunState.h"
+#include "zeek/packet_analysis/protocol/unknown_ip_transport/UnknownIPSessionAdapter.h"
+#include "zeek/session/Manager.h"
+
+using namespace zeek::packet_analysis::UnknownIPTransport;
+using namespace zeek::packet_analysis::IP;
+
+UnknownIPTransportAnalyzer::UnknownIPTransportAnalyzer()
+    : IPBasedAnalyzer("Unknown_IP_Transport", TRANSPORT_UNKNOWN, 0 /*mask*/, true) {}
+
+bool UnknownIPTransportAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) {
+    IPBasedAnalyzer::AnalyzePacket(len, data, packet);
+
+    packet->processed = false;
+
+    if ( report_unknown_protocols )
+        packet_mgr->ReportUnknownProtocol(GetAnalyzerName(), htons(packet->ip_hdr->NextProto()), data, len);
+
+    return false;
+}
+
+SessionAdapter* UnknownIPTransportAnalyzer::MakeSessionAdapter(Connection* conn) {
+    auto* root = new UnknownIPSessionAdapter(conn);
+    root->SetParent(this);
+
+    conn->SetInactivityTimeout(zeek::detail::unknown_ip_inactivity_timeout);
+
+    return root;
+}
+
+bool UnknownIPTransportAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) {
+    tuple.src_addr = packet->ip_hdr->SrcAddr();
+    tuple.dst_addr = packet->ip_hdr->DstAddr();
+    tuple.proto = packet->proto;
+
+    return true;
+}
+
+void UnknownIPTransportAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) {
+    auto* adapter = static_cast<UnknownIPSessionAdapter*>(c->GetSessionAdapter());
+
+    const u_char* data = pkt->ip_hdr->Payload();
+    int len = pkt->ip_hdr->PayloadLen();
+    // If segment offloading or similar is enabled, the payload len will return 0.
+    // Thus, let's ignore that case.
+    if ( len == 0 )
+        len = remaining;
+
+    if ( packet_contents && len > 0 )
+        adapter->PacketContents(data + 8, std::min(len, remaining) - 8);
+
+    c->SetLastTime(run_state::current_timestamp);
+
+    ForwardPacket(std::min(len, remaining), data, pkt);
+
+    const std::shared_ptr<IP_Hdr>& ip = pkt->ip_hdr;
+    adapter->ForwardPacket(std::min(len, remaining), data, is_orig, -1, ip.get(), pkt->cap_len);
+}
--- a/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.h
+++ b/src/packet_analysis/protocol/unknown_ip_transport/UnknownIPTransport.h
@ -0,0 +1,34 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
+#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
+
+namespace zeek::packet_analysis::UnknownIPTransport {
+
+class UnknownIPSessionAdapter;
+
+class UnknownIPTransportAnalyzer final : public IP::IPBasedAnalyzer {
+public:
+    UnknownIPTransportAnalyzer();
+    ~UnknownIPTransportAnalyzer() override = default;
+
+    static zeek::packet_analysis::AnalyzerPtr Instantiate() { return std::make_shared<UnknownIPTransportAnalyzer>(); }
+
+    bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+    packet_analysis::IP::SessionAdapter* MakeSessionAdapter(Connection* conn) override;
+
+protected:
+    /**
+     * Parse the header from the packet into a ConnTuple object.
+     */
+    bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override;
+
+    void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override;
+};
+
+} // namespace zeek::packet_analysis::UnknownIPTransport
--- a/src/zeek.bif
+++ b/src/zeek.bif
@ -315,6 +315,7 @@ zeek::RecordValPtr zeek::detail::build_dummy_conn_record()
 	id_val->Assign(1, zeek::val_mgr->Port(ntohs(0), TRANSPORT_UDP));
 	id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>((unsigned int) 0));
 	id_val->Assign(3, zeek::val_mgr->Port(ntohs(0), TRANSPORT_UDP));
+    id_val->Assign(4, 255);
 	c->Assign(0, std::move(id_val));

 	auto orig_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint);
--- a/testing/btest/Baseline/bifs.community_id.run-pcaps/icmp.pcap.out
+++ b/testing/btest/Baseline/bifs.community_id.run-pcaps/icmp.pcap.out
@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=192.168.0.89, orig_p=8/icmp, resp_h=192.168.0.1, resp_p=0/icmp], 1:X0snYXpgwiv9TZtqg64sgzUn6Dk=
+[orig_h=192.168.0.89, orig_p=8/icmp, resp_h=192.168.0.1, resp_p=0/icmp, proto=1], 1:X0snYXpgwiv9TZtqg64sgzUn6Dk=
--- a/testing/btest/Baseline/bifs.community_id.run-pcaps/icmp6.pcap.out
+++ b/testing/btest/Baseline/bifs.community_id.run-pcaps/icmp6.pcap.out
@ -1,15 +1,15 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=3ffe:501:0:1802:260:97ff:feb6:7ff0, orig_p=3/icmp, resp_h=3ffe:507:0:1:200:86ff:fe05:80da, resp_p=0/icmp], 1:bnQKq8A2r//dWnkRW2EYcMhShjc=
-[orig_h=3ffe:501:1800:2345::2, orig_p=3/icmp, resp_h=3ffe:507:0:1:200:86ff:fe05:80da, resp_p=0/icmp], 1:2ObVBgIn28oZvibYZhZMBgh7WdQ=
-[orig_h=3ffe:501:410:0:2c0:dfff:fe47:33e, orig_p=1/icmp, resp_h=3ffe:507:0:1:200:86ff:fe05:80da, resp_p=4/icmp], 1:hLZd0XGWojozrvxqE0dWB1iM6R0=
-[orig_h=3ffe:507:0:1:200:86ff:fe05:80da, orig_p=1/icmp, resp_h=3ffe:501:4819::42, resp_p=4/icmp], 1:jwuBy9UWZK1KUFqJV5cHdVpfrlY=
-[orig_h=3ffe:507:0:1:200:86ff:fe05:80da, orig_p=128/icmp, resp_h=3ffe:501:0:1001::2, resp_p=129/icmp], 1:+TW+HtLHvV1xnGhV1lv7XoJrqQg=
-[orig_h=3ffe:507:0:1:200:86ff:fe05:80da, orig_p=128/icmp, resp_h=3ffe:507:0:1:260:97ff:fe07:69ea, resp_p=129/icmp], 1:GpbEQrKqfWtsfsFiqg8fufoZe5Y=
-[orig_h=3ffe:507:0:1:200:86ff:fe05:80da, orig_p=135/icmp, resp_h=3ffe:507:0:1:260:97ff:fe07:69ea, resp_p=136/icmp], 1:ORxAZfN3ld7Sv73/HQTNnvgxbpY=
-[orig_h=3ffe:507:0:1:200:86ff:fe05:80da, orig_p=135/icmp, resp_h=ff02::1:ff07:69ea, resp_p=136/icmp], 1:MEixa66kuz0OMvlQqnAIzP3n2xg=
-[orig_h=3ffe:507:0:1:260:97ff:fe07:69ea, orig_p=135/icmp, resp_h=3ffe:507:0:1:200:86ff:fe05:80da, resp_p=136/icmp], 1:BtEUCMYecYjJ7spEkVZDiCFaMTY=
-[orig_h=3ffe:507:0:1:260:97ff:fe07:69ea, orig_p=3/icmp, resp_h=3ffe:507:0:1:200:86ff:fe05:80da, resp_p=0/icmp], 1:NdobDX8PQNJbAyfkWxhtL2Pqp5w=
-[orig_h=fe80::200:86ff:fe05:80da, orig_p=133/icmp, resp_h=ff02::2, resp_p=134/icmp], 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
-[orig_h=fe80::200:86ff:fe05:80da, orig_p=135/icmp, resp_h=fe80::260:97ff:fe07:69ea, resp_p=136/icmp], 1:dGHyGvjMfljg6Bppwm3bg0LO8TY=
-[orig_h=fe80::260:97ff:fe07:69ea, orig_p=134/icmp, resp_h=ff02::1, resp_p=133/icmp], 1:pkvHqCL88/tg1k4cPigmZXUtL00=
-[orig_h=fe80::260:97ff:fe07:69ea, orig_p=135/icmp, resp_h=fe80::200:86ff:fe05:80da, resp_p=136/icmp], 1:zavyT/cezQr1fmImYCwYnMXbgck=
+[orig_h=3ffe:501:0:1802:260:97ff:feb6:7ff0, orig_p=3/icmp, resp_h=3ffe:507:0:1:200:86ff:fe05:80da, resp_p=0/icmp, proto=58], 1:bnQKq8A2r//dWnkRW2EYcMhShjc=
+[orig_h=3ffe:501:1800:2345::2, orig_p=3/icmp, resp_h=3ffe:507:0:1:200:86ff:fe05:80da, resp_p=0/icmp, proto=58], 1:2ObVBgIn28oZvibYZhZMBgh7WdQ=
+[orig_h=3ffe:501:410:0:2c0:dfff:fe47:33e, orig_p=1/icmp, resp_h=3ffe:507:0:1:200:86ff:fe05:80da, resp_p=4/icmp, proto=58], 1:hLZd0XGWojozrvxqE0dWB1iM6R0=
+[orig_h=3ffe:507:0:1:200:86ff:fe05:80da, orig_p=1/icmp, resp_h=3ffe:501:4819::42, resp_p=4/icmp, proto=58], 1:jwuBy9UWZK1KUFqJV5cHdVpfrlY=
+[orig_h=3ffe:507:0:1:200:86ff:fe05:80da, orig_p=128/icmp, resp_h=3ffe:501:0:1001::2, resp_p=129/icmp, proto=58], 1:+TW+HtLHvV1xnGhV1lv7XoJrqQg=
+[orig_h=3ffe:507:0:1:200:86ff:fe05:80da, orig_p=128/icmp, resp_h=3ffe:507:0:1:260:97ff:fe07:69ea, resp_p=129/icmp, proto=58], 1:GpbEQrKqfWtsfsFiqg8fufoZe5Y=
+[orig_h=3ffe:507:0:1:200:86ff:fe05:80da, orig_p=135/icmp, resp_h=3ffe:507:0:1:260:97ff:fe07:69ea, resp_p=136/icmp, proto=58], 1:ORxAZfN3ld7Sv73/HQTNnvgxbpY=
+[orig_h=3ffe:507:0:1:200:86ff:fe05:80da, orig_p=135/icmp, resp_h=ff02::1:ff07:69ea, resp_p=136/icmp, proto=58], 1:MEixa66kuz0OMvlQqnAIzP3n2xg=
+[orig_h=3ffe:507:0:1:260:97ff:fe07:69ea, orig_p=135/icmp, resp_h=3ffe:507:0:1:200:86ff:fe05:80da, resp_p=136/icmp, proto=58], 1:BtEUCMYecYjJ7spEkVZDiCFaMTY=
+[orig_h=3ffe:507:0:1:260:97ff:fe07:69ea, orig_p=3/icmp, resp_h=3ffe:507:0:1:200:86ff:fe05:80da, resp_p=0/icmp, proto=58], 1:NdobDX8PQNJbAyfkWxhtL2Pqp5w=
+[orig_h=fe80::200:86ff:fe05:80da, orig_p=133/icmp, resp_h=ff02::2, resp_p=134/icmp, proto=58], 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
+[orig_h=fe80::200:86ff:fe05:80da, orig_p=135/icmp, resp_h=fe80::260:97ff:fe07:69ea, resp_p=136/icmp, proto=58], 1:dGHyGvjMfljg6Bppwm3bg0LO8TY=
+[orig_h=fe80::260:97ff:fe07:69ea, orig_p=134/icmp, resp_h=ff02::1, resp_p=133/icmp, proto=58], 1:pkvHqCL88/tg1k4cPigmZXUtL00=
+[orig_h=fe80::260:97ff:fe07:69ea, orig_p=135/icmp, resp_h=fe80::200:86ff:fe05:80da, resp_p=136/icmp, proto=58], 1:zavyT/cezQr1fmImYCwYnMXbgck=
--- a/testing/btest/Baseline/bifs.community_id.run-pcaps/ipv6.pcap.out
+++ b/testing/btest/Baseline/bifs.community_id.run-pcaps/ipv6.pcap.out
@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=2001:470:e5bf:dead:4957:2174:e82c:4887, orig_p=63943/tcp, resp_h=2607:f8b0:400c:c03::1a, resp_p=25/tcp], 1:/qFaeAR+gFe1KYjMzVDsMv+wgU4=
+[orig_h=2001:470:e5bf:dead:4957:2174:e82c:4887, orig_p=63943/tcp, resp_h=2607:f8b0:400c:c03::1a, resp_p=25/tcp, proto=6], 1:/qFaeAR+gFe1KYjMzVDsMv+wgU4=
--- a/testing/btest/Baseline/bifs.community_id.run-pcaps/sctp.pcap.out
+++ b/testing/btest/Baseline/bifs.community_id.run-pcaps/sctp.pcap.out
@ -1 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[orig_h=192.168.170.8, orig_p=0/unknown, resp_h=192.168.170.56, resp_p=0/unknown, proto=132], 
--- a/testing/btest/Baseline/bifs.community_id.run-pcaps/tcp.pcap.out
+++ b/testing/btest/Baseline/bifs.community_id.run-pcaps/tcp.pcap.out
@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=128.232.110.120, orig_p=34855/tcp, resp_h=66.35.250.204, resp_p=80/tcp], 1:LQU9qZlK+B5F3KDmev6m5PMibrg=
+[orig_h=128.232.110.120, orig_p=34855/tcp, resp_h=66.35.250.204, resp_p=80/tcp, proto=6], 1:LQU9qZlK+B5F3KDmev6m5PMibrg=
--- a/testing/btest/Baseline/bifs.community_id.run-pcaps/udp.pcap.out
+++ b/testing/btest/Baseline/bifs.community_id.run-pcaps/udp.pcap.out
@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=192.168.1.52, orig_p=54585/udp, resp_h=8.8.8.8, resp_p=53/udp], 1:d/FP5EW3wiY1vCndhwleRRKHowQ=
+[orig_h=192.168.1.52, orig_p=54585/udp, resp_h=8.8.8.8, resp_p=53/udp, proto=17], 1:d/FP5EW3wiY1vCndhwleRRKHowQ=
--- a/testing/btest/Baseline/bifs.community_id.v1/out
+++ b/testing/btest/Baseline/bifs.community_id.v1/out
@ -1,11 +1,11 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-PASS: expected '1:wCb3OG7yAFWelaUydu0D+125CLM=', got '1:wCb3OG7yAFWelaUydu0D+125CLM=' ([orig_h=1.2.3.4, orig_p=1122/tcp, resp_h=5.6.7.8, resp_p=3344/tcp], seed=0)
-PASS: expected '1:0Mu9InQx6z4ZiCZM/7HXi2WMhOg=', got '1:0Mu9InQx6z4ZiCZM/7HXi2WMhOg=' ([orig_h=1.2.3.4, orig_p=1122/udp, resp_h=5.6.7.8, resp_p=3344/udp], seed=0)
-PASS: expected '1:crodRHL2FEsHjbv3UkRrfbs4bZ0=', got '1:crodRHL2FEsHjbv3UkRrfbs4bZ0=' ([orig_h=1.2.3.4, orig_p=8/icmp, resp_h=5.6.7.8, resp_p=0/icmp], seed=0)
-PASS: expected '1:0bf7hyMJUwt3fMED7z8LIfRpBeo=', got '1:0bf7hyMJUwt3fMED7z8LIfRpBeo=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp], seed=0)
-PASS: expected '1:HhA1B+6CoLbiKPEs5nhNYN4XWfk=', got '1:HhA1B+6CoLbiKPEs5nhNYN4XWfk=' ([orig_h=1.2.3.4, orig_p=1122/tcp, resp_h=5.6.7.8, resp_p=3344/tcp], seed=1)
-PASS: expected '1:OShq+iKDAMVouh/4bMxB9Sz4amw=', got '1:OShq+iKDAMVouh/4bMxB9Sz4amw=' ([orig_h=1.2.3.4, orig_p=1122/udp, resp_h=5.6.7.8, resp_p=3344/udp], seed=1)
-PASS: expected '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=', got '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=' ([orig_h=1.2.3.4, orig_p=8/icmp, resp_h=5.6.7.8, resp_p=0/icmp], seed=1)
-PASS: expected '1:IO27GQzPuCtNnwFvjWALMHu5tJE=', got '1:IO27GQzPuCtNnwFvjWALMHu5tJE=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp], seed=1)
-PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown], seed=0)
-PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown], seed=1)
+PASS: expected '1:wCb3OG7yAFWelaUydu0D+125CLM=', got '1:wCb3OG7yAFWelaUydu0D+125CLM=' ([orig_h=1.2.3.4, orig_p=1122/tcp, resp_h=5.6.7.8, resp_p=3344/tcp, proto=6], seed=0)
+PASS: expected '1:0Mu9InQx6z4ZiCZM/7HXi2WMhOg=', got '1:0Mu9InQx6z4ZiCZM/7HXi2WMhOg=' ([orig_h=1.2.3.4, orig_p=1122/udp, resp_h=5.6.7.8, resp_p=3344/udp, proto=17], seed=0)
+PASS: expected '1:crodRHL2FEsHjbv3UkRrfbs4bZ0=', got '1:crodRHL2FEsHjbv3UkRrfbs4bZ0=' ([orig_h=1.2.3.4, orig_p=8/icmp, resp_h=5.6.7.8, resp_p=0/icmp, proto=1], seed=0)
+PASS: expected '1:0bf7hyMJUwt3fMED7z8LIfRpBeo=', got '1:0bf7hyMJUwt3fMED7z8LIfRpBeo=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp, proto=1], seed=0)
+PASS: expected '1:HhA1B+6CoLbiKPEs5nhNYN4XWfk=', got '1:HhA1B+6CoLbiKPEs5nhNYN4XWfk=' ([orig_h=1.2.3.4, orig_p=1122/tcp, resp_h=5.6.7.8, resp_p=3344/tcp, proto=6], seed=1)
+PASS: expected '1:OShq+iKDAMVouh/4bMxB9Sz4amw=', got '1:OShq+iKDAMVouh/4bMxB9Sz4amw=' ([orig_h=1.2.3.4, orig_p=1122/udp, resp_h=5.6.7.8, resp_p=3344/udp, proto=17], seed=1)
+PASS: expected '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=', got '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=' ([orig_h=1.2.3.4, orig_p=8/icmp, resp_h=5.6.7.8, resp_p=0/icmp, proto=1], seed=1)
+PASS: expected '1:IO27GQzPuCtNnwFvjWALMHu5tJE=', got '1:IO27GQzPuCtNnwFvjWALMHu5tJE=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp, proto=1], seed=1)
+PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=255], seed=0)
+PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=255], seed=1)
--- a/testing/btest/Baseline/bifs.disable_analyzer-early/out
+++ b/testing/btest/Baseline/bifs.disable_analyzer-early/out
@ -3,5 +3,5 @@ proto confirm, Analyzer::ANALYZER_HTTP
 T
 http_request, GET, /style/enhanced.css
 total http messages, {
-[[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]] = 1
+[[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp, proto=6]] = 1
 }
--- a/testing/btest/Baseline/bifs.disable_analyzer-hook/out
+++ b/testing/btest/Baseline/bifs.disable_analyzer-hook/out
@ -1,16 +1,16 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 proto confirm, Analyzer::ANALYZER_HTTP
 http_request, GET, /style/enhanced.css
-preventing disable_analyzer, [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp], Analyzer::ANALYZER_HTTP, 3, 1
+preventing disable_analyzer, [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp, proto=6], Analyzer::ANALYZER_HTTP, 3, 1
 F
 http_reply, 200
 http_request, GET, /script/urchin.js
-preventing disable_analyzer, [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp], Analyzer::ANALYZER_HTTP, 3, 3
+preventing disable_analyzer, [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp, proto=6], Analyzer::ANALYZER_HTTP, 3, 3
 F
 http_reply, 200
 http_request, GET, /images/template/screen/bullet_utility.png
-allowing disable_analyzer, [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp], Analyzer::ANALYZER_HTTP, 3, 5
+allowing disable_analyzer, [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp, proto=6], Analyzer::ANALYZER_HTTP, 3, 5
 T
 total http messages, {
-[[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]] = 5
+[[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp, proto=6]] = 5
 }
--- a/testing/btest/Baseline/bifs.disable_analyzer-tcp-packet-children/out
+++ b/testing/btest/Baseline/bifs.disable_analyzer-tcp-packet-children/out
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-triggered packets, [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp], 1, T
+triggered packets, [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp, proto=6], 1, T
 T
--- a/testing/btest/Baseline/bifs.disable_analyzer/out
+++ b/testing/btest/Baseline/bifs.disable_analyzer/out
@ -3,5 +3,5 @@ proto confirm, Analyzer::ANALYZER_HTTP
 http_request, GET, /style/enhanced.css
 T
 total http messages, {
-[[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]] = 1
+[[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp, proto=6]] = 1
 }
--- a/testing/btest/Baseline/bifs.install_src_addr_filter/output
+++ b/testing/btest/Baseline/bifs.install_src_addr_filter/output
@ -1,9 +1,9 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
--- a/testing/btest/Baseline/broker.python-bindings/recv..stdout
+++ b/testing/btest/Baseline/broker.python-bindings/recv..stdout
@ -1,23 +1,23 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 35634/tcp, IPv4Address('208.80.152.2'), 80/tcp)
-Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 48649/tcp, IPv4Address('208.80.152.118'), 80/tcp)
-Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 49996/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 49997/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 49998/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 49999/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 50000/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 50001/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 35642/tcp, IPv4Address('208.80.152.2'), 80/tcp)
-Received /btest/connections new_conn_added (IPv4Address('173.192.163.128'), 80/tcp, IPv4Address('141.142.220.235'), 6705/tcp)
-Received /btest/connections conn_removed (IPv4Address('173.192.163.128'), 80/tcp, IPv4Address('141.142.220.235'), 6705/tcp)
-Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 35634/tcp, IPv4Address('208.80.152.2'), 80/tcp)
-Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 48649/tcp, IPv4Address('208.80.152.118'), 80/tcp)
-Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 49997/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 49996/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 49998/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 50000/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 49999/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 50001/tcp, IPv4Address('208.80.152.3'), 80/tcp)
-Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 35642/tcp, IPv4Address('208.80.152.2'), 80/tcp)
+Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 35634/tcp, IPv4Address('208.80.152.2'), 80/tcp, Count(6))
+Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 48649/tcp, IPv4Address('208.80.152.118'), 80/tcp, Count(6))
+Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 49996/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 49997/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 49998/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 49999/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 50000/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 50001/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections new_conn_added (IPv4Address('141.142.220.118'), 35642/tcp, IPv4Address('208.80.152.2'), 80/tcp, Count(6))
+Received /btest/connections new_conn_added (IPv4Address('173.192.163.128'), 80/tcp, IPv4Address('141.142.220.235'), 6705/tcp, Count(6))
+Received /btest/connections conn_removed (IPv4Address('173.192.163.128'), 80/tcp, IPv4Address('141.142.220.235'), 6705/tcp, Count(6))
+Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 35634/tcp, IPv4Address('208.80.152.2'), 80/tcp, Count(6))
+Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 48649/tcp, IPv4Address('208.80.152.118'), 80/tcp, Count(6))
+Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 49997/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 49996/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 49998/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 50000/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 49999/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 50001/tcp, IPv4Address('208.80.152.3'), 80/tcp, Count(6))
+Received /btest/connections conn_removed (IPv4Address('141.142.220.118'), 35642/tcp, IPv4Address('208.80.152.2'), 80/tcp, Count(6))
 Received /btest/connections Pcap::file_done /
 Received Pcap::file_done
--- a/testing/btest/Baseline/broker.python-bindings/send..stdout
+++ b/testing/btest/Baseline/broker.python-bindings/send..stdout
@ -22,24 +22,24 @@
 1300561569.780331, connection_state_remove, 19, C37jN32gN3y3AZzyf6
 1300561569.780331, connection_state_remove, 20, C3eiCBGOLw3VtHfOj
 1300561569.780331, send_pcap_file_done
-1300561569.780331, from_python, 1, new_conn_added, CHhAvVGS1DHFjwGM9, [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
-1300561569.780331, from_python, 2, new_conn_added, ClEkJM2Vm5giqnMf4h, [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
-1300561569.780331, from_python, 3, new_conn_added, C4J4Th3PJpwUYZZ6gc, [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 4, new_conn_added, CtPZjS20MLrsMUOJi2, [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 5, new_conn_added, CUM0KZ3MLUfNB0cl11, [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 6, new_conn_added, CmES5u32sYpV7JYN, [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 7, new_conn_added, CP5puj4I8PtEU4qzYg, [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 8, new_conn_added, C37jN32gN3y3AZzyf6, [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 9, new_conn_added, C3eiCBGOLw3VtHfOj, [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
-1300561569.780331, from_python, 10, new_conn_added, CwjjYJ2WqgTbAqiHl6, [orig_h=173.192.163.128, orig_p=80/tcp, resp_h=141.142.220.235, resp_p=6705/tcp]
-1300561569.780331, from_python, 11, conn_removed, CwjjYJ2WqgTbAqiHl6, [orig_h=173.192.163.128, orig_p=80/tcp, resp_h=141.142.220.235, resp_p=6705/tcp]
-1300561569.780331, from_python, 12, conn_removed, CHhAvVGS1DHFjwGM9, [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
-1300561569.780331, from_python, 13, conn_removed, ClEkJM2Vm5giqnMf4h, [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
-1300561569.780331, from_python, 14, conn_removed, CtPZjS20MLrsMUOJi2, [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 15, conn_removed, C4J4Th3PJpwUYZZ6gc, [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 16, conn_removed, CUM0KZ3MLUfNB0cl11, [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 17, conn_removed, CP5puj4I8PtEU4qzYg, [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 18, conn_removed, CmES5u32sYpV7JYN, [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 19, conn_removed, C37jN32gN3y3AZzyf6, [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-1300561569.780331, from_python, 20, conn_removed, C3eiCBGOLw3VtHfOj, [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
+1300561569.780331, from_python, 1, new_conn_added, CHhAvVGS1DHFjwGM9, [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 2, new_conn_added, ClEkJM2Vm5giqnMf4h, [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 3, new_conn_added, C4J4Th3PJpwUYZZ6gc, [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 4, new_conn_added, CtPZjS20MLrsMUOJi2, [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 5, new_conn_added, CUM0KZ3MLUfNB0cl11, [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 6, new_conn_added, CmES5u32sYpV7JYN, [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 7, new_conn_added, CP5puj4I8PtEU4qzYg, [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 8, new_conn_added, C37jN32gN3y3AZzyf6, [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 9, new_conn_added, C3eiCBGOLw3VtHfOj, [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 10, new_conn_added, CwjjYJ2WqgTbAqiHl6, [orig_h=173.192.163.128, orig_p=80/tcp, resp_h=141.142.220.235, resp_p=6705/tcp, proto=6]
+1300561569.780331, from_python, 11, conn_removed, CwjjYJ2WqgTbAqiHl6, [orig_h=173.192.163.128, orig_p=80/tcp, resp_h=141.142.220.235, resp_p=6705/tcp, proto=6]
+1300561569.780331, from_python, 12, conn_removed, CHhAvVGS1DHFjwGM9, [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 13, conn_removed, ClEkJM2Vm5giqnMf4h, [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 14, conn_removed, CtPZjS20MLrsMUOJi2, [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 15, conn_removed, C4J4Th3PJpwUYZZ6gc, [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 16, conn_removed, CUM0KZ3MLUfNB0cl11, [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 17, conn_removed, CP5puj4I8PtEU4qzYg, [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 18, conn_removed, CmES5u32sYpV7JYN, [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 19, conn_removed, C37jN32gN3y3AZzyf6, [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+1300561569.780331, from_python, 20, conn_removed, C3eiCBGOLw3VtHfOj, [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
 1300561569.780331, peer lost
--- a/testing/btest/Baseline/core.analyzer-confirmation-violation-info-ftp/.stdout
+++ b/testing/btest/Baseline/core.analyzer-confirmation-violation-info-ftp/.stdout
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-analyzer_confirmation_info, Analyzer::ANALYZER_FTP, [orig_h=2001:470:1f05:17a6:d69a:20ff:fefd:6b88, orig_p=24316/tcp, resp_h=2001:6a8:a40::21, resp_p=21/tcp], 3
-analyzer_violation_info, Analyzer::ANALYZER_FTP, non-numeric reply code, [orig_h=2001:470:1f05:17a6:d69a:20ff:fefd:6b88, orig_p=24316/tcp, resp_h=2001:6a8:a40::21, resp_p=21/tcp], 3, SSH-2.0-mod_sftp/0.9.7
+analyzer_confirmation_info, Analyzer::ANALYZER_FTP, [orig_h=2001:470:1f05:17a6:d69a:20ff:fefd:6b88, orig_p=24316/tcp, resp_h=2001:6a8:a40::21, resp_p=21/tcp, proto=6], 3
+analyzer_violation_info, Analyzer::ANALYZER_FTP, non-numeric reply code, [orig_h=2001:470:1f05:17a6:d69a:20ff:fefd:6b88, orig_p=24316/tcp, resp_h=2001:6a8:a40::21, resp_p=21/tcp, proto=6], 3, SSH-2.0-mod_sftp/0.9.7
--- a/testing/btest/Baseline/core.analyzer-confirmation-violation-info/.stdout
+++ b/testing/btest/Baseline/core.analyzer-confirmation-violation-info/.stdout
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-analyzer_confirmation_info, Analyzer::ANALYZER_SSL, [orig_h=1.1.1.1, orig_p=20394/tcp, resp_h=2.2.2.2, resp_p=443/tcp], 3
-analyzer_violation_info, Analyzer::ANALYZER_SSL, Invalid version late in TLS connection. Packet reported version: 0, [orig_h=1.1.1.1, orig_p=20394/tcp, resp_h=2.2.2.2, resp_p=443/tcp], 3
+analyzer_confirmation_info, Analyzer::ANALYZER_SSL, [orig_h=1.1.1.1, orig_p=20394/tcp, resp_h=2.2.2.2, resp_p=443/tcp, proto=6], 3
+analyzer_violation_info, Analyzer::ANALYZER_SSL, Invalid version late in TLS connection. Packet reported version: 0, [orig_h=1.1.1.1, orig_p=20394/tcp, resp_h=2.2.2.2, resp_p=443/tcp, proto=6], 3
--- a/testing/btest/Baseline/core.bits_per_uid/128
+++ b/testing/btest/Baseline/core.bits_per_uid/128
@ -1,10 +1,10 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 C2NNAAAHZBl4GS1DHFjwGM9
 CecCbjYTWM3dVm5giqnMf4h
-Fa4OcwWOGcul4a90dKFRzf3
+FYlsjBISPCV2GvSJS34ZSq2
 C6CWH0ZufRpfPJpwUYZZ6gc
-FYj5A4z884n1qUoaPxGYCAj
+FgpR680HFYI9KU9xPMWff9k
 CIdXDQc8a0ud0MLrsMUOJi2
-FnAwazCvojp6QaCQXKASXLl
+FMWIrHcLhVGdvlR8gBZwM9h
 Cae9B2GP1sJiMLUfNB0cl11
-FB9OdiKgOCJ9rXgY0sM33Ue
+Fgp7fU86mnW8UHoNbiwzP22
--- a/testing/btest/Baseline/core.bits_per_uid/256
+++ b/testing/btest/Baseline/core.bits_per_uid/256
@ -1,10 +1,10 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 C2NNAAAHZBl4GS1DHFjwGM9
 CecCbjYTWM3dVm5giqnMf4h
-Fa4OcwWOGcul4a90dKFRzf3
+FYlsjBISPCV2GvSJS34ZSq2
 C6CWH0ZufRpfPJpwUYZZ6gc
-FYj5A4z884n1qUoaPxGYCAj
+FgpR680HFYI9KU9xPMWff9k
 CIdXDQc8a0ud0MLrsMUOJi2
-FnAwazCvojp6QaCQXKASXLl
+FMWIrHcLhVGdvlR8gBZwM9h
 Cae9B2GP1sJiMLUfNB0cl11
-FB9OdiKgOCJ9rXgY0sM33Ue
+Fgp7fU86mnW8UHoNbiwzP22
--- a/testing/btest/Baseline/core.bits_per_uid/32
+++ b/testing/btest/Baseline/core.bits_per_uid/32
@ -1,10 +1,10 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 CHhAvV0
 CRQjp520
-FEDbaA40
+FeIYJC0
 ClEkJM20
-F6wZ8i0
+FH8iC420
 CHZeJD30
-F7BoKm10
+F9yS4V20
 C4J4Th30
-FIXQK420
+FXwxfU10
--- a/testing/btest/Baseline/core.bits_per_uid/64
+++ b/testing/btest/Baseline/core.bits_per_uid/64
@ -1,10 +1,10 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 C2NNAAAHZBl40
 CGS1DHFjwGM90
-Fa4OcwWOGcul0
+FYlsjBISPCV20
 CecCbjYTWM3d0
-FYj5A4z884n10
+FgpR680HFYI90
 CVm5giqnMf4h0
-FnAwazCvojp60
+FMWIrHcLhVGd0
 C6CWH0ZufRpf0
-FB9OdiKgOCJ90
+Fgp7fU86mnW80
--- a/testing/btest/Baseline/core.bits_per_uid/96
+++ b/testing/btest/Baseline/core.bits_per_uid/96
@ -1,10 +1,10 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 CHhAvVGS1DHFjwGM9
 ClEkJM2Vm5giqnMf4h
-FEDbaA44a90dKFRzf3
+FeIYJCGvSJS34ZSq2
 C4J4Th3PJpwUYZZ6gc
-F6wZ8iqUoaPxGYCAj
+FH8iC42KU9xPMWff9k
 CtPZjS20MLrsMUOJi2
-F7BoKm1QaCQXKASXLl
+F9yS4V2vlR8gBZwM9h
 CUM0KZ3MLUfNB0cl11
-FIXQK42rXgY0sM33Ue
+FXwxfU1UHoNbiwzP22
--- a/testing/btest/Baseline/core.checksums_ignore_nets/conn-failed.log
+++ b/testing/btest/Baseline/core.checksums_ignore_nets/conn-failed.log
@ -5,8 +5,8 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.28	53246	35.221.46.9	80	tcp	-	-	-	-	OTH	T	F	0	C	0	0	0	0	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	35.221.46.9	80	192.168.1.28	53246	tcp	-	0.063810	432	0	SH	F	T	0	HcADF	4	604	0	0	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.28	53246	35.221.46.9	80	tcp	-	-	-	-	OTH	T	F	0	C	0	0	0	0	-	6
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	35.221.46.9	80	192.168.1.28	53246	tcp	-	0.063810	432	0	SH	F	T	0	HcADF	4	604	0	0	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked-multi-subnets.log
+++ b/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked-multi-subnets.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.28	53246	35.221.46.9	80	tcp	-	0.091969	74	432	SF	T	F	0	ShADadFf	6	338	4	604	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.28	53246	35.221.46.9	80	tcp	-	0.091969	74	432	SF	T	F	0	ShADadFf	6	338	4	604	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked.log
+++ b/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.28	53246	35.221.46.9	80	tcp	-	0.091969	74	432	SF	T	F	0	ShADadFf	6	338	4	604	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.28	53246	35.221.46.9	80	tcp	-	0.091969	74	432	SF	T	F	0	ShADadFf	6	338	4	604	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.cisco-fabric-path/conn.log
+++ b/testing/btest/Baseline/core.cisco-fabric-path/conn.log
@ -5,38 +5,70 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	C7fIlMZDuRiqjpYbb	1.1.1.6	57005	2.2.2.2	48879	tcp	-	0.001018	0	0	S0	F	F	0	S	2	80	0	0	-
-XXXXXXXXXX.XXXXXX	CykQaM33ztNt0csB9a	1.1.1.4	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	F	F	0	S	2	80	0	0	-
-XXXXXXXXXX.XXXXXX	CtxTCR2Yer0FR1tIBg	1.1.1.14	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	F	F	0	S	2	80	0	0	-
-XXXXXXXXXX.XXXXXX	CpmdRlaUoJLN3uIRa	1.1.1.12	57005	2.2.2.2	48879	tcp	-	0.000926	0	0	S0	F	F	0	S	2	80	0	0	-
-XXXXXXXXXX.XXXXXX	C1Xkzz2MaGtLrc1Tla	1.1.1.0	57005	2.2.2.2	48879	tcp	-	0.001042	0	0	S0	F	F	0	S	2	80	0	0	-
-XXXXXXXXXX.XXXXXX	CqlVyW1YwZ15RhTBc4	1.1.1.2	57005	2.2.2.2	48879	tcp	-	0.000920	0	0	S0	F	F	0	S	2	80	0	0	-
-XXXXXXXXXX.XXXXXX	CLNN1k2QMum1aexUK7	1.1.1.8	57005	2.2.2.2	48879	tcp	-	0.000930	0	0	S0	F	F	0	S	2	80	0	0	-
-XXXXXXXXXX.XXXXXX	CBA8792iHmnhPLksKa	1.1.1.10	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	F	F	0	S	2	80	0	0	-
-XXXXXXXXXX.XXXXXX	CGLPPc35OzDQij1XX8	1234::e	57005	5678::	48879	tcp	-	0.001139	0	0	S0	F	F	0	S	2	120	0	0	-
-XXXXXXXXXX.XXXXXX	CiyBAq1bBLNaTiTAc	1234::c	57005	5678::	48879	tcp	-	0.001027	0	0	S0	F	F	0	S	2	120	0	0	-
-XXXXXXXXXX.XXXXXX	CFSwNi4CNGxcuffo49	1234::6	57005	5678::	48879	tcp	-	0.001055	0	0	S0	F	F	0	S	2	120	0	0	-
-XXXXXXXXXX.XXXXXX	Cipfzj1BEnhejw8cGf	1234::4	57005	5678::	48879	tcp	-	0.001018	0	0	S0	F	F	0	S	2	120	0	0	-
-XXXXXXXXXX.XXXXXX	CV5WJ42jPYbNW9JNWf	1234::8	57005	5678::	48879	tcp	-	0.001029	0	0	S0	F	F	0	S	2	120	0	0	-
-XXXXXXXXXX.XXXXXX	CPhDKt12KQPUVbQz06	1234::a	57005	5678::	48879	tcp	-	0.001005	0	0	S0	F	F	0	S	2	120	0	0	-
-XXXXXXXXXX.XXXXXX	CAnFrb2Cvxr5T7quOc	1234::	57005	5678::	48879	tcp	-	0.001005	0	0	S0	F	F	0	S	2	120	0	0	-
-XXXXXXXXXX.XXXXXX	C8rquZ3DjgNW06JGLl	1234::2	57005	5678::	48879	tcp	-	0.001120	0	0	S0	F	F	0	S	2	120	0	0	-
-XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	1.1.1.0	57005	2.2.2.2	48879	udp	-	0.000926	0	0	S0	F	F	0	D	2	56	0	0	-
-XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	1.1.1.2	57005	2.2.2.2	48879	udp	-	0.000830	0	0	S0	F	F	0	D	2	56	0	0	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	1.1.1.4	57005	2.2.2.2	48879	udp	-	0.000847	0	0	S0	F	F	0	D	2	56	0	0	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.6	57005	2.2.2.2	48879	udp	-	0.001243	0	0	S0	F	F	0	D	2	56	0	0	-
-XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	1.1.1.8	57005	2.2.2.2	48879	udp	-	0.000830	0	0	S0	F	F	0	D	2	56	0	0	-
-XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	1.1.1.10	57005	2.2.2.2	48879	udp	-	0.000843	0	0	S0	F	F	0	D	2	56	0	0	-
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	1.1.1.12	57005	2.2.2.2	48879	udp	-	0.000847	0	0	S0	F	F	0	D	2	56	0	0	-
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	1.1.1.14	57005	2.2.2.2	48879	udp	-	0.000880	0	0	S0	F	F	0	D	2	56	0	0	-
-XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	1234::	57005	5678::	48879	udp	-	0.000898	0	0	S0	F	F	0	D	2	96	0	0	-
-XXXXXXXXXX.XXXXXX	CNnMIj2QSd84NKf7U3	1234::2	57005	5678::	48879	udp	-	0.000902	0	0	S0	F	F	0	D	2	96	0	0	-
-XXXXXXXXXX.XXXXXX	CFLRIC3zaTU1loLGxh	1234::4	57005	5678::	48879	udp	-	0.000905	0	0	S0	F	F	0	D	2	96	0	0	-
-XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	1234::6	57005	5678::	48879	udp	-	0.000898	0	0	S0	F	F	0	D	2	96	0	0	-
-XXXXXXXXXX.XXXXXX	C9rXSW3KSpTYvPrlI1	1234::8	57005	5678::	48879	udp	-	0.001010	0	0	S0	F	F	0	D	2	96	0	0	-
-XXXXXXXXXX.XXXXXX	Ck51lg1bScffFj34Ri	1234::a	57005	5678::	48879	udp	-	0.000894	0	0	S0	F	F	0	D	2	96	0	0	-
-XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	1234::c	57005	5678::	48879	udp	-	0.000902	0	0	S0	F	F	0	D	2	96	0	0	-
-XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	1234::e	57005	5678::	48879	udp	-	0.001014	0	0	S0	F	F	0	D	2	96	0	0	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	C7fIlMZDuRiqjpYbb	1.1.1.6	57005	2.2.2.2	48879	tcp	-	0.001018	0	0	S0	F	F	0	S	2	80	0	0	-	6
+XXXXXXXXXX.XXXXXX	CykQaM33ztNt0csB9a	1.1.1.4	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	F	F	0	S	2	80	0	0	-	6
+XXXXXXXXXX.XXXXXX	CtxTCR2Yer0FR1tIBg	1.1.1.14	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	F	F	0	S	2	80	0	0	-	6
+XXXXXXXXXX.XXXXXX	CpmdRlaUoJLN3uIRa	1.1.1.12	57005	2.2.2.2	48879	tcp	-	0.000926	0	0	S0	F	F	0	S	2	80	0	0	-	6
+XXXXXXXXXX.XXXXXX	C1Xkzz2MaGtLrc1Tla	1.1.1.0	57005	2.2.2.2	48879	tcp	-	0.001042	0	0	S0	F	F	0	S	2	80	0	0	-	6
+XXXXXXXXXX.XXXXXX	CqlVyW1YwZ15RhTBc4	1.1.1.2	57005	2.2.2.2	48879	tcp	-	0.000920	0	0	S0	F	F	0	S	2	80	0	0	-	6
+XXXXXXXXXX.XXXXXX	CLNN1k2QMum1aexUK7	1.1.1.8	57005	2.2.2.2	48879	tcp	-	0.000930	0	0	S0	F	F	0	S	2	80	0	0	-	6
+XXXXXXXXXX.XXXXXX	CBA8792iHmnhPLksKa	1.1.1.10	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	F	F	0	S	2	80	0	0	-	6
+XXXXXXXXXX.XXXXXX	CGLPPc35OzDQij1XX8	1234::e	57005	5678::	48879	tcp	-	0.001139	0	0	S0	F	F	0	S	2	120	0	0	-	6
+XXXXXXXXXX.XXXXXX	CiyBAq1bBLNaTiTAc	1234::c	57005	5678::	48879	tcp	-	0.001027	0	0	S0	F	F	0	S	2	120	0	0	-	6
+XXXXXXXXXX.XXXXXX	CFSwNi4CNGxcuffo49	1234::6	57005	5678::	48879	tcp	-	0.001055	0	0	S0	F	F	0	S	2	120	0	0	-	6
+XXXXXXXXXX.XXXXXX	Cipfzj1BEnhejw8cGf	1234::4	57005	5678::	48879	tcp	-	0.001018	0	0	S0	F	F	0	S	2	120	0	0	-	6
+XXXXXXXXXX.XXXXXX	CV5WJ42jPYbNW9JNWf	1234::8	57005	5678::	48879	tcp	-	0.001029	0	0	S0	F	F	0	S	2	120	0	0	-	6
+XXXXXXXXXX.XXXXXX	CPhDKt12KQPUVbQz06	1234::a	57005	5678::	48879	tcp	-	0.001005	0	0	S0	F	F	0	S	2	120	0	0	-	6
+XXXXXXXXXX.XXXXXX	CAnFrb2Cvxr5T7quOc	1234::	57005	5678::	48879	tcp	-	0.001005	0	0	S0	F	F	0	S	2	120	0	0	-	6
+XXXXXXXXXX.XXXXXX	C8rquZ3DjgNW06JGLl	1234::2	57005	5678::	48879	tcp	-	0.001120	0	0	S0	F	F	0	S	2	120	0	0	-	6
+XXXXXXXXXX.XXXXXX	CeP1sc28dOzbbYkbA	1.1.1.0	0	2.2.2.2	0	unknown_transport	-	0.000839	0	0	OTH	F	F	0	-	2	40	0	0	-	99
+XXXXXXXXXX.XXXXXX	CTrywc2ra7tcWn2af	1.1.1.0	0	2.2.2.2	0	unknown_transport	-	0.000855	0	0	OTH	F	F	0	-	2	64	0	0	-	132
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	1.1.1.0	57005	2.2.2.2	48879	udp	-	0.000926	0	0	S0	F	F	0	D	2	56	0	0	-	17
+XXXXXXXXXX.XXXXXX	Ck78JG32Y4I7AGp7Vb	1.1.1.1	0	2.2.2.2	0	unknown_transport	-	0.000739	0	0	OTH	F	F	0	-	2	40	0	0	-	99
+XXXXXXXXXX.XXXXXX	CzmEfj4RValNyLfT58	1.1.1.2	0	2.2.2.2	0	unknown_transport	-	0.000854	0	0	OTH	F	F	0	-	2	64	0	0	-	132
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	1.1.1.2	57005	2.2.2.2	48879	udp	-	0.000830	0	0	S0	F	F	0	D	2	56	0	0	-	17
+XXXXXXXXXX.XXXXXX	CaGCc13FffXe6RkQl9	1.1.1.4	0	2.2.2.2	0	unknown_transport	-	0.000872	0	0	OTH	F	F	0	-	2	64	0	0	-	132
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	1.1.1.4	57005	2.2.2.2	48879	udp	-	0.000847	0	0	S0	F	F	0	D	2	56	0	0	-	17
+XXXXXXXXXX.XXXXXX	CzrZOtXqhwwndQva3	1.1.1.6	0	2.2.2.2	0	unknown_transport	-	0.000857	0	0	OTH	F	F	0	-	2	64	0	0	-	132
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.6	57005	2.2.2.2	48879	udp	-	0.001243	0	0	S0	F	F	0	D	2	56	0	0	-	17
+XXXXXXXXXX.XXXXXX	CCk2V03QgWwIurU3f	1.1.1.8	0	2.2.2.2	0	unknown_transport	-	0.001019	0	0	OTH	F	F	0	-	2	64	0	0	-	132
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	1.1.1.8	57005	2.2.2.2	48879	udp	-	0.000830	0	0	S0	F	F	0	D	2	56	0	0	-	17
+XXXXXXXXXX.XXXXXX	Cgc67J2CpHIVN7HAw4	1.1.1.10	0	2.2.2.2	0	unknown_transport	-	0.001383	0	0	OTH	F	F	0	-	2	64	0	0	-	132
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	1.1.1.10	57005	2.2.2.2	48879	udp	-	0.000843	0	0	S0	F	F	0	D	2	56	0	0	-	17
+XXXXXXXXXX.XXXXXX	CeGt004UBsXLoZSeCg	1.1.1.12	0	2.2.2.2	0	unknown_transport	-	0.000963	0	0	OTH	F	F	0	-	2	64	0	0	-	132
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	1.1.1.12	57005	2.2.2.2	48879	udp	-	0.000847	0	0	S0	F	F	0	D	2	56	0	0	-	17
+XXXXXXXXXX.XXXXXX	CNdne23ox8SQTgPoy3	1.1.1.14	0	2.2.2.2	0	unknown_transport	-	0.000854	0	0	OTH	F	F	0	-	2	64	0	0	-	132
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	1.1.1.14	57005	2.2.2.2	48879	udp	-	0.000880	0	0	S0	F	F	0	D	2	56	0	0	-	17
+XXXXXXXXXX.XXXXXX	CAvUKGaEgLlR4i6t2	1.1.1.16	0	2.2.2.2	0	unknown_transport	-	0.000754	0	0	OTH	F	F	0	-	2	40	0	0	-	99
+XXXXXXXXXX.XXXXXX	COOKv01AQPAqfGMN9k	1.1.1.17	0	2.2.2.2	0	unknown_transport	-	0.000730	0	0	OTH	F	F	0	-	2	40	0	0	-	99
+XXXXXXXXXX.XXXXXX	C0JEpR1Ij6308CwEhh	1.1.1.64	0	2.2.2.2	0	unknown_transport	-	0.000728	0	0	OTH	F	F	0	-	2	40	0	0	-	99
+XXXXXXXXXX.XXXXXX	CDNchHwRoXhVzzHB2	1.1.1.65	0	2.2.2.2	0	unknown_transport	-	0.000729	0	0	OTH	F	F	0	-	2	40	0	0	-	99
+XXXXXXXXXX.XXXXXX	Cgwg7Z1MHA1YkiZmm3	1.1.1.80	0	2.2.2.2	0	unknown_transport	-	0.000730	0	0	OTH	F	F	0	-	2	40	0	0	-	99
+XXXXXXXXXX.XXXXXX	CQcXCjONUKqMfnhXb	1.1.1.81	0	2.2.2.2	0	unknown_transport	-	0.000730	0	0	OTH	F	F	0	-	2	40	0	0	-	99
+XXXXXXXXXX.XXXXXX	CdY2UF17xGQ6lUx7e8	1234::	0	5678::	0	unknown_transport	-	0.000766	0	0	OTH	F	F	0	-	2	80	0	0	-	99
+XXXXXXXXXX.XXXXXX	CudMuD3jKHCaCU5CE	1234::	0	5678::	0	unknown_transport	-	0.000789	0	0	OTH	F	F	0	-	2	104	0	0	-	132
+XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	1234::	57005	5678::	48879	udp	-	0.000898	0	0	S0	F	F	0	D	2	96	0	0	-	17
+XXXXXXXXXX.XXXXXX	CM4z3Z2rdNfyHYQ0Df	1234::1	0	5678::	0	unknown_transport	-	0.000663	0	0	OTH	F	F	0	-	2	80	0	0	-	99
+XXXXXXXXXX.XXXXXX	CRJ9x54IaE7bkVEpad	1234::2	0	5678::	0	unknown_transport	-	0.000887	0	0	OTH	F	F	0	-	2	104	0	0	-	132
+XXXXXXXXXX.XXXXXX	CNnMIj2QSd84NKf7U3	1234::2	57005	5678::	48879	udp	-	0.000902	0	0	S0	F	F	0	D	2	96	0	0	-	17
+XXXXXXXXXX.XXXXXX	CD7vfu1qu4YJKe1nGi	1234::4	0	5678::	0	unknown_transport	-	0.000887	0	0	OTH	F	F	0	-	2	104	0	0	-	132
+XXXXXXXXXX.XXXXXX	CFLRIC3zaTU1loLGxh	1234::4	57005	5678::	48879	udp	-	0.000905	0	0	S0	F	F	0	D	2	96	0	0	-	17
+XXXXXXXXXX.XXXXXX	CKJVAj1rNx0nolFFc4	1234::6	0	5678::	0	unknown_transport	-	0.000785	0	0	OTH	F	F	0	-	2	104	0	0	-	132
+XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	1234::6	57005	5678::	48879	udp	-	0.000898	0	0	S0	F	F	0	D	2	96	0	0	-	17
+XXXXXXXXXX.XXXXXX	CWhRtK3eXodviHmbo7	1234::8	0	5678::	0	unknown_transport	-	0.000785	0	0	OTH	F	F	0	-	2	104	0	0	-	132
+XXXXXXXXXX.XXXXXX	C9rXSW3KSpTYvPrlI1	1234::8	57005	5678::	48879	udp	-	0.001010	0	0	S0	F	F	0	D	2	96	0	0	-	17
+XXXXXXXXXX.XXXXXX	CqVUM4vyqCacqFiud	1234::a	0	5678::	0	unknown_transport	-	0.000790	0	0	OTH	F	F	0	-	2	104	0	0	-	132
+XXXXXXXXXX.XXXXXX	Ck51lg1bScffFj34Ri	1234::a	57005	5678::	48879	udp	-	0.000894	0	0	S0	F	F	0	D	2	96	0	0	-	17
+XXXXXXXXXX.XXXXXX	CImWJ03GsvPvA0P67i	1234::c	0	5678::	0	unknown_transport	-	0.000825	0	0	OTH	F	F	0	-	2	104	0	0	-	132
+XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	1234::c	57005	5678::	48879	udp	-	0.000902	0	0	S0	F	F	0	D	2	96	0	0	-	17
+XXXXXXXXXX.XXXXXX	CgwPkWkJfuBIJsNi4	1234::e	0	5678::	0	unknown_transport	-	0.001182	0	0	OTH	F	F	0	-	2	104	0	0	-	132
+XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	1234::e	57005	5678::	48879	udp	-	0.001014	0	0	S0	F	F	0	D	2	96	0	0	-	17
+XXXXXXXXXX.XXXXXX	CB0Ovs3cNZgLQ93FSh	1234::10	0	5678::	0	unknown_transport	-	0.000680	0	0	OTH	F	F	0	-	2	80	0	0	-	99
+XXXXXXXXXX.XXXXXX	CkD1144ZtRYffh5zjg	1234::11	0	5678::	0	unknown_transport	-	0.000664	0	0	OTH	F	F	0	-	2	80	0	0	-	99
+XXXXXXXXXX.XXXXXX	C1dGa34JRiYAKbMI0c	1234::40	0	5678::	0	unknown_transport	-	0.000665	0	0	OTH	F	F	0	-	2	80	0	0	-	99
+XXXXXXXXXX.XXXXXX	C5pL731XEkARXOq253	1234::41	0	5678::	0	unknown_transport	-	0.000776	0	0	OTH	F	F	0	-	2	80	0	0	-	99
+XXXXXXXXXX.XXXXXX	CVcd914ZFpaUisaVf2	1234::50	0	5678::	0	unknown_transport	-	0.000668	0	0	OTH	F	F	0	-	2	80	0	0	-	99
+XXXXXXXXXX.XXXXXX	CtEfXf4f39NRDu1Dr4	1234::51	0	5678::	0	unknown_transport	-	0.000665	0	0	OTH	F	F	0	-	2	80	0	0	-	99
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.conn-size-threshold/.stdout
+++ b/testing/btest/Baseline/core.conn-size-threshold/.stdout
@ -4,27 +4,27 @@
 0
 0
 0 secs
-Threshold set for [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp]
+Threshold set for [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp, proto=6]
 3000
 2000
 63
 50
 100.0 msecs, 53.0 msecs 50.994873 usecs
-triggered duration, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 100.0 msecs, F, 105.0 msecs 79.889297 usecs
-triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 2000, F
-triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 3000, T
-triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 50, F
+triggered duration, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp, proto=6], 100.0 msecs, F, 105.0 msecs 79.889297 usecs
+triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp, proto=6], 2000, F
+triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp, proto=6], 3000, T
+triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp, proto=6], 50, F
 0
 0
 0
 0
 0 secs
-Threshold set for [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
+Threshold set for [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp, proto=6]
 3000
 2000
 63
 50
 0 secs, 176.0 msecs 573.038101 usecs
-triggered duration, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 100.0 msecs, T, 176.0 msecs 573.038101 usecs
-triggered bytes, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 2000, F
-triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 63, T
+triggered duration, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp, proto=6], 100.0 msecs, T, 176.0 msecs 573.038101 usecs
+triggered bytes, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp, proto=6], 2000, F
+triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp, proto=6], 63, T
--- a/testing/btest/Baseline/core.conn-uid/output
+++ b/testing/btest/Baseline/core.conn-uid/output
@ -1,44 +1,44 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], CHhAvVGS1DHFjwGM9
-[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp], ClEkJM2Vm5giqnMf4h
-[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], C4J4Th3PJpwUYZZ6gc
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CtPZjS20MLrsMUOJi2
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], CUM0KZ3MLUfNB0cl11
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], CUM0KZ3MLUfNB0cl11
-[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], CmES5u32sYpV7JYN
-[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], CP5puj4I8PtEU4qzYg
-[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], C37jN32gN3y3AZzyf6
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C3eiCBGOLw3VtHfOj
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CwjjYJ2WqgTbAqiHl6
-[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], C0LAHyvtKSQHyJxIl
-[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], CFLRIC3zaTU1loLGxh
-[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], C9rXSW3KSpTYvPrlI1
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Ck51lg1bScffFj34Ri
-[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], C9mvWx3ezztgzcexV7
-[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], CNnMIj2QSd84NKf7U3
-[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], C7fIlMZDuRiqjpYbb
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CykQaM33ztNt0csB9a
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CtxTCR2Yer0FR1tIBg
-[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], CpmdRlaUoJLN3uIRa
-[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], C1Xkzz2MaGtLrc1Tla
-[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], CqlVyW1YwZ15RhTBc4
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CLNN1k2QMum1aexUK7
-[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], CBA8792iHmnhPLksKa
-[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], CGLPPc35OzDQij1XX8
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CiyBAq1bBLNaTiTAc
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CwjjYJ2WqgTbAqiHl6
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C3eiCBGOLw3VtHfOj
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Ck51lg1bScffFj34Ri
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CtxTCR2Yer0FR1tIBg
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CykQaM33ztNt0csB9a
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CLNN1k2QMum1aexUK7
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CiyBAq1bBLNaTiTAc
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], CFSwNi4CNGxcuffo49
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], CFSwNi4CNGxcuffo49
-[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], Cipfzj1BEnhejw8cGf
-[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], CV5WJ42jPYbNW9JNWf
-[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp], CPhDKt12KQPUVbQz06
-[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], CAnFrb2Cvxr5T7quOc
-[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp], C8rquZ3DjgNW06JGLl
-[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], CzrZOtXqhwwndQva3
-[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], CaGCc13FffXe6RkQl9
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp, proto=17], CHhAvVGS1DHFjwGM9
+[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp, proto=17], ClEkJM2Vm5giqnMf4h
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp, proto=17], C4J4Th3PJpwUYZZ6gc
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6], CtPZjS20MLrsMUOJi2
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp, proto=6], CUM0KZ3MLUfNB0cl11
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp, proto=6], CUM0KZ3MLUfNB0cl11
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], CmES5u32sYpV7JYN
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], CP5puj4I8PtEU4qzYg
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], C37jN32gN3y3AZzyf6
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], C3eiCBGOLw3VtHfOj
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], CwjjYJ2WqgTbAqiHl6
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], C0LAHyvtKSQHyJxIl
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], CFLRIC3zaTU1loLGxh
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], C9rXSW3KSpTYvPrlI1
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], Ck51lg1bScffFj34Ri
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], C9mvWx3ezztgzcexV7
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], CNnMIj2QSd84NKf7U3
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], C7fIlMZDuRiqjpYbb
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], CykQaM33ztNt0csB9a
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], CtxTCR2Yer0FR1tIBg
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], CpmdRlaUoJLN3uIRa
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], C1Xkzz2MaGtLrc1Tla
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], CqlVyW1YwZ15RhTBc4
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], CLNN1k2QMum1aexUK7
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], CBA8792iHmnhPLksKa
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17], CGLPPc35OzDQij1XX8
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6], CiyBAq1bBLNaTiTAc
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], CwjjYJ2WqgTbAqiHl6
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], C3eiCBGOLw3VtHfOj
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], Ck51lg1bScffFj34Ri
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], CtxTCR2Yer0FR1tIBg
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], CykQaM33ztNt0csB9a
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6], CLNN1k2QMum1aexUK7
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6], CiyBAq1bBLNaTiTAc
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp, proto=6], CFSwNi4CNGxcuffo49
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp, proto=6], CFSwNi4CNGxcuffo49
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp, proto=17], Cipfzj1BEnhejw8cGf
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp, proto=17], CV5WJ42jPYbNW9JNWf
+[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp, proto=17], CPhDKt12KQPUVbQz06
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp, proto=17], CAnFrb2Cvxr5T7quOc
+[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp, proto=17], C8rquZ3DjgNW06JGLl
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp, proto=17], CzrZOtXqhwwndQva3
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp, proto=17], CaGCc13FffXe6RkQl9
--- a/testing/btest/Baseline/core.connection_flip_roles/out
+++ b/testing/btest/Baseline/core.connection_flip_roles/out
@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-schedule_analyzer, current conn_id, [orig_h=192.150.187.43, orig_p=80/tcp, resp_h=141.142.228.5, resp_p=59856/tcp]
+schedule_analyzer, current conn_id, [orig_h=192.150.187.43, orig_p=80/tcp, resp_h=141.142.228.5, resp_p=59856/tcp, proto=6]
 http_request, 1.1, GET, /download/CHANGES.bro-aux.txt
 http_reply, 1.1, 200, OK
-connection_state_remove, [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
+connection_state_remove, [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6]
--- a/testing/btest/Baseline/core.connection_flipped/out
+++ b/testing/btest/Baseline/core.connection_flipped/out
@ -1,4 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-1362692526.939084, new_connection, [orig_h=192.150.187.43, orig_p=80/tcp, resp_h=141.142.228.5, resp_p=59856/tcp, extra_id=42], H, 1362692526.939084
-1362692526.939344, connection_flipped, [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, extra_id=42], Hs^, 1362692526.939084
-1362692527.080972, connection_state_remove, [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, extra_id=42], Hs^ADadFf, 1362692526.939084
+1362692526.939084, new_connection, [orig_h=192.150.187.43, orig_p=80/tcp, resp_h=141.142.228.5, resp_p=59856/tcp, proto=6, extra_id=42], H, 1362692526.939084
+1362692526.939344, connection_flipped, [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, extra_id=42], Hs^, 1362692526.939084
+1362692527.080972, connection_state_remove, [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, extra_id=42], Hs^ADadFf, 1362692526.939084
--- a/testing/btest/Baseline/core.connection_status_update/out
+++ b/testing/btest/Baseline/core.connection_status_update/out
@ -1,6 +1,6 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-new_connection, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
-connection_status_update, 1, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
-connection_status_update, 2, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
-connection_status_update, 3, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
-connection_status_update, 4, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp]
+new_connection, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp, proto=1]
+connection_status_update, 1, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp, proto=1]
+connection_status_update, 2, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp, proto=1]
+connection_status_update, 3, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp, proto=1]
+connection_status_update, 4, [orig_h=172.16.133.2, orig_p=8/icmp, resp_h=172.217.11.78, resp_p=0/icmp, proto=1]
--- a/testing/btest/Baseline/core.discarder/output
+++ b/testing/btest/Baseline/core.discarder/output
@ -1,25 +1,25 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ################ IP Discarder ################
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
 ################ TCP Discarder ################
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
 ################ UDP Discarder ################
-[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp]
-[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
-[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
-[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
-[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
+[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp, proto=17]
+[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp, proto=17]
+[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp, proto=17]
+[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp, proto=17]
+[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp, proto=17]
 ################ ICMP Discarder ################
 Discard icmp packet: [icmp_type=3]
--- a/testing/btest/Baseline/core.erspanI/conn.log
+++ b/testing/btest/Baseline/core.erspanI/conn.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.16.133.2	8	172.217.11.78	0	icmp	-	0.014360	280	280	OTH	T	F	0	-	5	420	5	420	CHhAvVGS1DHFjwGM9
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.16.133.2	8	172.217.11.78	0	icmp	-	0.014360	280	280	OTH	T	F	0	-	5	420	5	420	CHhAvVGS1DHFjwGM9	1
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.erspanII/conn.log
+++ b/testing/btest/Baseline/core.erspanII/conn.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	23.0.0.2	8	23.0.0.3	0	icmp	-	0.001727	144	144	OTH	F	F	0	-	2	200	2	200	CHhAvVGS1DHFjwGM9
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	23.0.0.2	8	23.0.0.3	0	icmp	-	0.001727	144	144	OTH	F	F	0	-	2	200	2	200	CHhAvVGS1DHFjwGM9	1
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.erspanIII/conn.log
+++ b/testing/btest/Baseline/core.erspanIII/conn.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.15.47	8	1.1.1.1	0	icmp	-	0.004305	56	56	OTH	T	F	0	-	1	84	1	84	CHhAvVGS1DHFjwGM9
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.15.47	8	1.1.1.1	0	icmp	-	0.004305	56	56	OTH	T	F	0	-	1	84	1	84	CHhAvVGS1DHFjwGM9	1
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.expire-all-timers/conn-all.log
+++ b/testing/btest/Baseline/core.expire-all-timers/conn-all.log
@ -5,8 +5,8 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	51889	192.168.0.1	80	tcp	-	0.000010	18	0	OTH	T	T	0	Da	1	58	1	40	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.1	51889	192.168.0.1	80	tcp	-	-	-	-	OTH	T	T	0	D	1	58	0	0	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	51889	192.168.0.1	80	tcp	-	0.000010	18	0	OTH	T	T	0	Da	1	58	1	40	-	6
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.1	51889	192.168.0.1	80	tcp	-	-	-	-	OTH	T	T	0	D	1	58	0	0	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.expire-all-timers/conn-limited.log
+++ b/testing/btest/Baseline/core.expire-all-timers/conn-limited.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	51889	192.168.0.1	80	tcp	-	300.000010	18	0	OTH	T	T	0	DaT	2	116	1	40	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	51889	192.168.0.1	80	tcp	-	300.000010	18	0	OTH	T	T	0	DaT	2	116	1	40	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.expired-conn-weird/out
+++ b/testing/btest/Baseline/core.expired-conn-weird/out
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-expired_conn_weird, test!, [orig_h=192.168.1.200, orig_p=49206/tcp, resp_h=192.168.1.150, resp_p=3389/tcp], CHhAvVGS1DHFjwGM9, test2
-expired_conn_weird, test!, [orig_h=192.168.1.200, orig_p=49206/tcp, resp_h=192.168.1.150, resp_p=3389/tcp], CHhAvVGS1DHFjwGM9, test2
+expired_conn_weird, test!, [orig_h=192.168.1.200, orig_p=49206/tcp, resp_h=192.168.1.150, resp_p=3389/tcp, proto=6], CHhAvVGS1DHFjwGM9, test2
+expired_conn_weird, test!, [orig_h=192.168.1.200, orig_p=49206/tcp, resp_h=192.168.1.150, resp_p=3389/tcp, proto=6], CHhAvVGS1DHFjwGM9, test2
--- a/testing/btest/Baseline/core.expr-exception/output
+++ b/testing/btest/Baseline/core.expr-exception/output
@ -1,19 +1,19 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ftp field missing
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp, proto=6]
 ftp field missing
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
 ftp field missing
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
 ftp field missing
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
 ftp field missing
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
 ftp field missing
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
 ftp field missing
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp, proto=6]
 ftp field missing
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
 ftp field missing
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp]
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp, proto=6]
--- a/testing/btest/Baseline/core.history-flip/conn.log
+++ b/testing/btest/Baseline/core.history-flip/conn.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	F	F	0	^hADdFaf	11	670	10	9945	-	00:d0:03:3b:f4:00	00:b0:c2:86:ec:00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id	orig_l2_addr	resp_l2_addr
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	F	F	0	^hADdFaf	11	670	10	9945	-	6	00:d0:03:3b:f4:00	00:b0:c2:86:ec:00
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.icmp.icmp-context/output
+++ b/testing/btest/Baseline/core.icmp.icmp-context/output
@ -1,13 +1,13 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 icmp_unreachable (code=0)
-  conn_id: [orig_h=10.0.0.1, orig_p=3/icmp, resp_h=10.0.0.2, resp_p=0/icmp]
+  conn_id: [orig_h=10.0.0.1, orig_p=3/icmp, resp_h=10.0.0.2, resp_p=0/icmp, proto=1]
  icmp_info: [v6=F, itype=3, icode=0, len=0, ttl=64]
-  icmp_context: [id=[orig_h=::, orig_p=0/unknown, resp_h=::, resp_p=0/unknown], len=0, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=::, orig_p=0/unknown, resp_h=::, resp_p=0/unknown, proto=1], len=0, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
 icmp_unreachable (code=0)
-  conn_id: [orig_h=10.0.0.1, orig_p=3/icmp, resp_h=10.0.0.2, resp_p=0/icmp]
+  conn_id: [orig_h=10.0.0.1, orig_p=3/icmp, resp_h=10.0.0.2, resp_p=0/icmp, proto=1]
  icmp_info: [v6=F, itype=3, icode=0, len=20, ttl=64]
-  icmp_context: [id=[orig_h=10.0.0.2, orig_p=0/unknown, resp_h=10.0.0.1, resp_p=0/unknown], len=20, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=10.0.0.2, orig_p=0/unknown, resp_h=10.0.0.1, resp_p=0/unknown, proto=1], len=20, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
 icmp_unreachable (code=3)
-  conn_id: [orig_h=192.168.1.102, orig_p=3/icmp, resp_h=192.168.1.1, resp_p=3/icmp]
+  conn_id: [orig_h=192.168.1.102, orig_p=3/icmp, resp_h=192.168.1.1, resp_p=3/icmp, proto=1]
  icmp_info: [v6=F, itype=3, icode=3, len=148, ttl=128]
-  icmp_context: [id=[orig_h=192.168.1.1, orig_p=53/udp, resp_h=192.168.1.102, resp_p=59207/udp], len=163, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=192.168.1.1, orig_p=53/udp, resp_h=192.168.1.102, resp_p=59207/udp, proto=1], len=163, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
--- a/testing/btest/Baseline/core.icmp.icmp-events/output
+++ b/testing/btest/Baseline/core.icmp.icmp-events/output
@ -1,21 +1,21 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 icmp_unreachable (code=3)
-  conn_id: [orig_h=192.168.1.102, orig_p=3/icmp, resp_h=192.168.1.1, resp_p=3/icmp]
+  conn_id: [orig_h=192.168.1.102, orig_p=3/icmp, resp_h=192.168.1.1, resp_p=3/icmp, proto=1]
  icmp_info: [v6=F, itype=3, icode=3, len=148, ttl=128]
-  icmp_context: [id=[orig_h=192.168.1.1, orig_p=53/udp, resp_h=192.168.1.102, resp_p=59207/udp], len=163, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=192.168.1.1, orig_p=53/udp, resp_h=192.168.1.102, resp_p=59207/udp, proto=1], len=163, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
 icmp_time_exceeded (code=0)
-  conn_id: [orig_h=10.0.0.1, orig_p=11/icmp, resp_h=10.0.0.2, resp_p=0/icmp]
+  conn_id: [orig_h=10.0.0.1, orig_p=11/icmp, resp_h=10.0.0.2, resp_p=0/icmp, proto=1]
  icmp_info: [v6=F, itype=11, icode=0, len=32, ttl=64]
-  icmp_context: [id=[orig_h=10.0.0.2, orig_p=30000/udp, resp_h=10.0.0.1, resp_p=13000/udp], len=32, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=10.0.0.2, orig_p=30000/udp, resp_h=10.0.0.1, resp_p=13000/udp, proto=1], len=32, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
 icmp_echo_request (id=34844, seq=0, payload=O\x85\xe0C\x00\x0e\xeb\xff\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
-  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
+  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp, proto=1]
  icmp_info: [v6=F, itype=8, icode=0, len=56, ttl=64]
 icmp_echo_reply (id=34844, seq=0, payload=O\x85\xe0C\x00\x0e\xeb\xff\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
-  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
+  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp, proto=1]
  icmp_info: [v6=F, itype=0, icode=0, len=56, ttl=56]
 icmp_echo_request (id=34844, seq=1, payload=O\x85\xe0D\x00\x0e\xf0}\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
-  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
+  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp, proto=1]
  icmp_info: [v6=F, itype=8, icode=0, len=56, ttl=64]
 icmp_echo_reply (id=34844, seq=1, payload=O\x85\xe0D\x00\x0e\xf0}\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
-  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
+  conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp, proto=1]
  icmp_info: [v6=F, itype=0, icode=0, len=56, ttl=56]
--- a/testing/btest/Baseline/core.icmp.icmp6-context/output
+++ b/testing/btest/Baseline/core.icmp.icmp6-context/output
@ -1,17 +1,17 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 icmp_unreachable (code=0)
-  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp, proto=58]
  icmp_info: [v6=T, itype=1, icode=0, len=0, ttl=64]
-  icmp_context: [id=[orig_h=::, orig_p=0/unknown, resp_h=::, resp_p=0/unknown], len=0, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=::, orig_p=0/unknown, resp_h=::, resp_p=0/unknown, proto=58], len=0, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
 icmp_unreachable (code=0)
-  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp, proto=58]
  icmp_info: [v6=T, itype=1, icode=0, len=40, ttl=64]
-  icmp_context: [id=[orig_h=fe80::beef, orig_p=0/unknown, resp_h=fe80::dead, resp_p=0/unknown], len=48, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=0/unknown, resp_h=fe80::dead, resp_p=0/unknown, proto=58], len=48, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
 icmp_unreachable (code=0)
-  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp, proto=58]
  icmp_info: [v6=T, itype=1, icode=0, len=60, ttl=64]
-  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=60, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp, proto=58], len=60, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
 icmp_unreachable (code=0)
-  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp, proto=58]
  icmp_info: [v6=T, itype=1, icode=0, len=48, ttl=64]
-  icmp_context: [id=[orig_h=fe80::beef, orig_p=0/unknown, resp_h=fe80::dead, resp_p=0/unknown], len=48, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=0/unknown, resp_h=fe80::dead, resp_p=0/unknown, proto=58], len=48, proto=0, frag_offset=0, bad_hdr_len=T, bad_checksum=F, MF=F, DF=F]
--- a/testing/btest/Baseline/core.icmp.icmp6-events/output
+++ b/testing/btest/Baseline/core.icmp.icmp6-events/output
@ -1,46 +1,46 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 icmp_unreachable (code=0)
-  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=1/icmp, resp_h=fe80::beef, resp_p=0/icmp, proto=58]
  icmp_info: [v6=T, itype=1, icode=0, len=60, ttl=64]
-  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=60, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp, proto=58], len=60, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
 icmp_packet_too_big (code=0)
-  conn_id: [orig_h=fe80::dead, orig_p=2/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=2/icmp, resp_h=fe80::beef, resp_p=0/icmp, proto=58]
  icmp_info: [v6=T, itype=2, icode=0, len=52, ttl=64]
-  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp, proto=58], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
 icmp_time_exceeded (code=0)
-  conn_id: [orig_h=fe80::dead, orig_p=3/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=3/icmp, resp_h=fe80::beef, resp_p=0/icmp, proto=58]
  icmp_info: [v6=T, itype=3, icode=0, len=52, ttl=64]
-  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp, proto=58], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
 icmp_parameter_problem (code=0)
-  conn_id: [orig_h=fe80::dead, orig_p=4/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=4/icmp, resp_h=fe80::beef, resp_p=0/icmp, proto=58]
  icmp_info: [v6=T, itype=4, icode=0, len=52, ttl=64]
-  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
+  icmp_context: [id=[orig_h=fe80::beef, orig_p=30000/udp, resp_h=fe80::dead, resp_p=13000/udp, proto=58], len=52, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
 icmp_echo_request (id=1, seq=3, payload=abcdefghijklmnopqrstuvwabcdefghi)
-  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp, proto=58]
  icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128]
 icmp_echo_reply (id=1, seq=3, payload=abcdefghijklmnopqrstuvwabcdefghi)
-  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp, proto=58]
  icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47]
 icmp_echo_request (id=1, seq=4, payload=abcdefghijklmnopqrstuvwabcdefghi)
-  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp, proto=58]
  icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128]
 icmp_echo_reply (id=1, seq=4, payload=abcdefghijklmnopqrstuvwabcdefghi)
-  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp, proto=58]
  icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47]
 icmp_echo_request (id=1, seq=5, payload=abcdefghijklmnopqrstuvwabcdefghi)
-  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp, proto=58]
  icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128]
 icmp_echo_reply (id=1, seq=5, payload=abcdefghijklmnopqrstuvwabcdefghi)
-  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp, proto=58]
  icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47]
 icmp_echo_request (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi)
-  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp, proto=58]
  icmp_info: [v6=T, itype=128, icode=0, len=32, ttl=128]
 icmp_echo_reply (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi)
-  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp]
+  conn_id: [orig_h=2620:0:e00:400e:d1d:db37:beb:5aac, orig_p=128/icmp, resp_h=2001:4860:8006::63, resp_p=129/icmp, proto=58]
  icmp_info: [v6=T, itype=129, icode=0, len=32, ttl=47]
 icmp_redirect (tgt=fe80::cafe, dest=fe80::babe)
-  conn_id: [orig_h=fe80::dead, orig_p=137/icmp, resp_h=fe80::beef, resp_p=0/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=137/icmp, resp_h=fe80::beef, resp_p=0/icmp, proto=58]
  icmp_info: [v6=T, itype=137, icode=0, len=32, ttl=255]
  options: []
 icmp_router_advertisement
@ -54,21 +54,21 @@ icmp_router_advertisement
    router_lifetime=30.0 mins
    reachable_time=3.0 secs 700.0 msecs
    retrans_timer=1.0 sec 300.0 msecs
-  conn_id: [orig_h=fe80::dead, orig_p=134/icmp, resp_h=fe80::beef, resp_p=133/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=134/icmp, resp_h=fe80::beef, resp_p=133/icmp, proto=58]
  icmp_info: [v6=T, itype=134, icode=0, len=8, ttl=255]
  options: []
 icmp_neighbor_advertisement (tgt=fe80::babe)
    router=T
    solicited=F
    override=T
-  conn_id: [orig_h=fe80::dead, orig_p=136/icmp, resp_h=fe80::beef, resp_p=135/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=136/icmp, resp_h=fe80::beef, resp_p=135/icmp, proto=58]
  icmp_info: [v6=T, itype=136, icode=0, len=16, ttl=255]
  options: []
 icmp_router_solicitation
-  conn_id: [orig_h=fe80::dead, orig_p=133/icmp, resp_h=fe80::beef, resp_p=134/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=133/icmp, resp_h=fe80::beef, resp_p=134/icmp, proto=58]
  icmp_info: [v6=T, itype=133, icode=0, len=0, ttl=255]
  options: []
 icmp_neighbor_solicitation (tgt=fe80::babe)
-  conn_id: [orig_h=fe80::dead, orig_p=135/icmp, resp_h=fe80::beef, resp_p=136/icmp]
+  conn_id: [orig_h=fe80::dead, orig_p=135/icmp, resp_h=fe80::beef, resp_p=136/icmp, proto=58]
  icmp_info: [v6=T, itype=135, icode=0, len=16, ttl=255]
  options: []
--- a/testing/btest/Baseline/core.icmp.icmp6-nd-options/output
+++ b/testing/btest/Baseline/core.icmp.icmp6-nd-options/output
@ -1,6 +1,6 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 icmp_redirect options
-    [otype=4, len=8, link_address=<uninitialized>, prefix=<uninitialized>, redirect=[id=[orig_h=fe80::aaaa, orig_p=30000/udp, resp_h=fe80::bbbb, resp_p=13000/udp], len=56, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F], mtu=<uninitialized>, payload=<uninitialized>]
+    [otype=4, len=8, link_address=<uninitialized>, prefix=<uninitialized>, redirect=[id=[orig_h=fe80::aaaa, orig_p=30000/udp, resp_h=fe80::bbbb, resp_p=13000/udp, proto=58], len=56, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F], mtu=<uninitialized>, payload=<uninitialized>]
 icmp_neighbor_advertisement options
    [otype=2, len=1, link_address=\xc2\x00T\xf5\x00\x00, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
     MAC: c20054f50000
--- a/testing/btest/Baseline/core.icmp.icmp_sent/out
+++ b/testing/btest/Baseline/core.icmp.icmp_sent/out
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-icmp_sent, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [v6=T, itype=143, icode=0, len=20, ttl=1]
-icmp_sent_payload, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [v6=T, itype=143, icode=0, len=20, ttl=1], 20
+icmp_sent, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp, proto=58], [v6=T, itype=143, icode=0, len=20, ttl=1]
+icmp_sent_payload, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp, proto=58], [v6=T, itype=143, icode=0, len=20, ttl=1], 20
--- a/testing/btest/Baseline/core.ipv6-atomic-frag/output
+++ b/testing/btest/Baseline/core.ipv6-atomic-frag/output
@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=2001:db8:1::2, orig_p=36951/tcp, resp_h=2001:db8:1::1, resp_p=80/tcp]
-[orig_h=2001:db8:1::2, orig_p=59694/tcp, resp_h=2001:db8:1::1, resp_p=80/tcp]
-[orig_h=2001:db8:1::2, orig_p=27393/tcp, resp_h=2001:db8:1::1, resp_p=80/tcp]
-[orig_h=2001:db8:1::2, orig_p=45805/tcp, resp_h=2001:db8:1::1, resp_p=80/tcp]
+[orig_h=2001:db8:1::2, orig_p=36951/tcp, resp_h=2001:db8:1::1, resp_p=80/tcp, proto=6]
+[orig_h=2001:db8:1::2, orig_p=59694/tcp, resp_h=2001:db8:1::1, resp_p=80/tcp, proto=6]
+[orig_h=2001:db8:1::2, orig_p=27393/tcp, resp_h=2001:db8:1::1, resp_p=80/tcp, proto=6]
+[orig_h=2001:db8:1::2, orig_p=45805/tcp, resp_h=2001:db8:1::1, resp_p=80/tcp, proto=6]
--- a/testing/btest/Baseline/core.ipv6-flow-labels/output
+++ b/testing/btest/Baseline/core.ipv6-flow-labels/output
@ -1,75 +1,75 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp]
+new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp, proto=6]
    orig_flow 0
    resp_flow 0
-connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp]
+connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp, proto=6]
    orig_flow 0
    resp_flow 0
-connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp]
+connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp, proto=6]
    orig_flow 0
    resp_flow 7407
    old_label 0
    new_label 7407
-new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp]
+new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp, proto=6]
    orig_flow 0
    resp_flow 0
-connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp]
+connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp, proto=6]
    orig_flow 0
    resp_flow 0
-connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp]
+connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp, proto=6]
    orig_flow 0
    resp_flow 176012
    old_label 0
    new_label 176012
-new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp]
+new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp, proto=6]
    orig_flow 0
    resp_flow 0
-connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp]
+connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp, proto=6]
    orig_flow 0
    resp_flow 0
-connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp]
+connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp, proto=6]
    orig_flow 0
    resp_flow 390927
    old_label 0
    new_label 390927
-new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp]
+new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp, proto=6]
    orig_flow 0
    resp_flow 0
-connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp]
+connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp, proto=6]
    orig_flow 0
    resp_flow 0
-connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp]
+connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp, proto=6]
    orig_flow 0
    resp_flow 364705
    old_label 0
    new_label 364705
-connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp]
+connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp, proto=6]
    orig_flow 0
    resp_flow 176012
-connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp]
+connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp, proto=6]
    orig_flow 0
    resp_flow 390927
-connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp]
+connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp, proto=6]
    orig_flow 0
    resp_flow 364705
-new_connection: [orig_h=2001:470:4867:99::21, orig_p=55785/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49189/tcp]
+new_connection: [orig_h=2001:470:4867:99::21, orig_p=55785/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49189/tcp, proto=6]
    orig_flow 267377
    resp_flow 0
-connection_established: [orig_h=2001:470:4867:99::21, orig_p=55785/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49189/tcp]
+connection_established: [orig_h=2001:470:4867:99::21, orig_p=55785/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49189/tcp, proto=6]
    orig_flow 267377
    resp_flow 126027
-new_connection: [orig_h=2001:470:4867:99::21, orig_p=55647/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49190/tcp]
+new_connection: [orig_h=2001:470:4867:99::21, orig_p=55647/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49190/tcp, proto=6]
    orig_flow 355265
    resp_flow 0
-connection_established: [orig_h=2001:470:4867:99::21, orig_p=55647/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49190/tcp]
+connection_established: [orig_h=2001:470:4867:99::21, orig_p=55647/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49190/tcp, proto=6]
    orig_flow 355265
    resp_flow 126028
-connection_state_remove: [orig_h=2001:470:4867:99::21, orig_p=55785/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49189/tcp]
+connection_state_remove: [orig_h=2001:470:4867:99::21, orig_p=55785/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49189/tcp, proto=6]
    orig_flow 267377
    resp_flow 126027
-connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp]
+connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp, proto=6]
    orig_flow 0
    resp_flow 7407
-connection_state_remove: [orig_h=2001:470:4867:99::21, orig_p=55647/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49190/tcp]
+connection_state_remove: [orig_h=2001:470:4867:99::21, orig_p=55647/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49190/tcp, proto=6]
    orig_flow 355265
    resp_flow 126028
--- a/testing/btest/Baseline/core.ipv6_ext_headers/output
+++ b/testing/btest/Baseline/core.ipv6_ext_headers/output
@ -1,4 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 weird routing0_hdr from 2001:4f8:4:7:2e0:81ff:fe52:ffff to 2001:78:1:32::2
-[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=53/udp, resp_h=2001:78:1:32::2, resp_p=53/udp]
+[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=53/udp, resp_h=2001:78:1:32::2, resp_p=53/udp, proto=17]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=59, nxt=0, hlim=64, src=2001:4f8:4:7:2e0:81ff:fe52:ffff, dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b, exts=[[id=0, hopopts=[nxt=43, len=0, options=[[otype=1, len=4, data=\x00\x00\x00\x00]]], dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>, mobility=<uninitialized>], [id=43, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=[nxt=17, len=4, rtype=0, segleft=2, data=\x00\x00\x00\x00 \x01\x00x\x00\x01\x002\x00\x00\x00\x00\x00\x00\x00\x01 \x01\x00x\x00\x01\x002\x00\x00\x00\x00\x00\x00\x00\x02], fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>, mobility=<uninitialized>]]], tcp=<uninitialized>, udp=[sport=53/udp, dport=53/udp, ulen=11], icmp=<uninitialized>]
--- a/testing/btest/Baseline/core.ipv6_zero_len_ah/output
+++ b/testing/btest/Baseline/core.ipv6_zero_len_ah/output
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=2000:1300::1, orig_p=128/icmp, resp_h=2000:1300::2, resp_p=129/icmp]
+[orig_h=2000:1300::1, orig_p=128/icmp, resp_h=2000:1300::2, resp_p=129/icmp, proto=58]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=166, nxt=51, hlim=255, src=2000:1300::1, dst=2000:1300::2, exts=[[id=51, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=[nxt=58, len=0, rsv=0, spi=0, seq=<uninitialized>, data=<uninitialized>], esp=<uninitialized>, mobility=<uninitialized>]]], tcp=<uninitialized>, udp=<uninitialized>, icmp=[icmp_type=128]]
--- a/testing/btest/Baseline/core.linuxsll2/.stdout
+++ b/testing/btest/Baseline/core.linuxsll2/.stdout
@ -1,6 +1,6 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=192.0.2.1, orig_p=8/icmp, resp_h=192.0.2.1, resp_p=0/icmp], [v6=F, itype=8, icode=0, len=56, ttl=64], 8, 1
-[orig_h=192.0.2.1, orig_p=8/icmp, resp_h=192.0.2.1, resp_p=0/icmp], [v6=F, itype=0, icode=0, len=56, ttl=64], 8, 1
-[orig_h=fe80::8c36:6ff:fe44:acaf, orig_p=128/icmp, resp_h=fe80::8c36:6ff:fe44:acaf, resp_p=129/icmp], [v6=T, itype=128, icode=0, len=56, ttl=64], 9, 1
-[orig_h=fe80::8c36:6ff:fe44:acaf, orig_p=128/icmp, resp_h=fe80::8c36:6ff:fe44:acaf, resp_p=129/icmp], [v6=T, itype=129, icode=0, len=56, ttl=64], 9, 1
+[orig_h=192.0.2.1, orig_p=8/icmp, resp_h=192.0.2.1, resp_p=0/icmp, proto=1], [v6=F, itype=8, icode=0, len=56, ttl=64], 8, 1
+[orig_h=192.0.2.1, orig_p=8/icmp, resp_h=192.0.2.1, resp_p=0/icmp, proto=1], [v6=F, itype=0, icode=0, len=56, ttl=64], 8, 1
+[orig_h=fe80::8c36:6ff:fe44:acaf, orig_p=128/icmp, resp_h=fe80::8c36:6ff:fe44:acaf, resp_p=129/icmp, proto=58], [v6=T, itype=128, icode=0, len=56, ttl=64], 9, 1
+[orig_h=fe80::8c36:6ff:fe44:acaf, orig_p=128/icmp, resp_h=fe80::8c36:6ff:fe44:acaf, resp_p=129/icmp, proto=58], [v6=T, itype=129, icode=0, len=56, ttl=64], 9, 1
 8e:36:06:44:ac:af, 00:00:00:00:00:00, 192.0.2.1, 8e:36:06:44:ac:af, 192.0.2.2, 00:00:00:00:00:00
--- a/testing/btest/Baseline/core.mobile-ipv6-home-addr/output
+++ b/testing/btest/Baseline/core.mobile-ipv6-home-addr/output
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=2001:78:1:32::1, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp]
+[orig_h=2001:78:1:32::1, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp, proto=17]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=36, nxt=60, hlim=64, src=2001:4f8:4:7:2e0:81ff:fe52:ffff, dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b, exts=[[id=60, hopopts=<uninitialized>, dstopts=[nxt=17, len=2, options=[[otype=1, len=2, data=\x00\x00], [otype=201, len=16, data= \x01\x00x\x00\x01\x002\x00\x00\x00\x00\x00\x00\x00\x01]]], routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>, mobility=<uninitialized>]]], tcp=<uninitialized>, udp=[sport=30000/udp, dport=13000/udp, ulen=12], icmp=<uninitialized>]
--- a/testing/btest/Baseline/core.mobile-ipv6-routing/output
+++ b/testing/btest/Baseline/core.mobile-ipv6-routing/output
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:78:1:32::1, resp_p=13000/udp]
+[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:78:1:32::1, resp_p=13000/udp, proto=17]
 [ip=<uninitialized>, ip6=[class=0, flow=0, len=36, nxt=43, hlim=64, src=2001:4f8:4:7:2e0:81ff:fe52:ffff, dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b, exts=[[id=43, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=[nxt=17, len=2, rtype=2, segleft=1, data=\x00\x00\x00\x00 \x01\x00x\x00\x01\x002\x00\x00\x00\x00\x00\x00\x00\x01], fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>, mobility=<uninitialized>]]], tcp=<uninitialized>, udp=[sport=30000/udp, dport=13000/udp, ulen=12], icmp=<uninitialized>]
--- a/testing/btest/Baseline/core.mpls-in-vlan/conn.log
+++ b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
@ -5,9 +5,9 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	F	F	0	D	1	257	0	0	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	F	F	0	^d	0	0	1	1500	-
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	F	F	0	D	1	710	0	0	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	F	F	0	D	1	257	0	0	-	6
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	F	F	0	^d	0	0	1	1500	-	6
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	F	F	0	D	1	710	0	0	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.pbb/conn.log
+++ b/testing/btest/Baseline/core.pbb/conn.log
@ -5,7 +5,9 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.199.249.11	49601	10.199.249.12	49416	tcp	-	0.002215	209	0	SF	T	T	0	ShADFaf	5	421	3	132	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.199.242.132	0	224.0.0.5	0	unknown_transport	-	-	-	-	OTH	T	F	0	-	1	76	0	0	-	89
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	10.199.245.2	0	224.0.0.18	0	unknown_transport	-	-	-	-	OTH	T	F	0	-	1	40	0	0	-	112
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.199.249.11	49601	10.199.249.12	49416	tcp	-	0.002215	209	0	SF	T	T	0	ShADFaf	5	421	3	132	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
@ -5,22 +5,22 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	F	F	0	D	1	73	0	0	-
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	F	F	0	Dd	1	66	1	117	-
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	F	F	0	Dd	1	80	1	127	-
-XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	F	F	0	Dd	1	66	1	211	-
-XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	F	F	0	Dd	1	66	1	117	-
-XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	F	F	0	Dd	1	80	1	127	-
-XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	F	F	0	Dd	1	66	1	211	-
-XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	F	F	0	Dd	1	66	1	117	-
-XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	F	F	0	Dd	1	80	1	127	-
-XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	F	F	0	Dd	1	66	1	211	-
-XXXXXXXXXX.XXXXXX	CFLRIC3zaTU1loLGxh	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	F	F	0	Dd	1	66	1	117	-
-XXXXXXXXXX.XXXXXX	C9rXSW3KSpTYvPrlI1	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	F	F	0	Dd	1	80	1	127	-
-XXXXXXXXXX.XXXXXX	Ck51lg1bScffFj34Ri	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	F	F	0	Dd	1	66	1	211	-
-XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	F	F	0	Dd	1	64	1	159	-
-XXXXXXXXXX.XXXXXX	CNnMIj2QSd84NKf7U3	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	F	F	0	Dd	1	64	1	226	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	F	F	0	D	1	515	0	0	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	F	F	0	D	1	73	0	0	-	17
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	F	F	0	Dd	1	80	1	127	-	17
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	F	F	0	Dd	1	66	1	211	-	17
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	F	F	0	Dd	1	80	1	127	-	17
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	F	F	0	Dd	1	66	1	211	-	17
+XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
+XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	F	F	0	Dd	1	80	1	127	-	17
+XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	F	F	0	Dd	1	66	1	211	-	17
+XXXXXXXXXX.XXXXXX	CFLRIC3zaTU1loLGxh	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
+XXXXXXXXXX.XXXXXX	C9rXSW3KSpTYvPrlI1	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	F	F	0	Dd	1	80	1	127	-	17
+XXXXXXXXXX.XXXXXX	Ck51lg1bScffFj34Ri	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	F	F	0	Dd	1	66	1	211	-	17
+XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	F	F	0	Dd	1	64	1	159	-	17
+XXXXXXXXXX.XXXXXX	CNnMIj2QSd84NKf7U3	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	F	F	0	Dd	1	64	1	226	-	17
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	F	F	0	D	1	515	0	0	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.pcap.dynamic-filter/output
+++ b/testing/btest/Baseline/core.pcap.dynamic-filter/output
@ -1,31 +1,31 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-1, [orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp]
-2, [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
-3, [orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp]
-4, [orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp]
-5, [orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp]
-6, [orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp]
-7, [orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp]
-8, [orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp]
-9, [orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp]
-10, [orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp]
-11, [orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp]
-12, [orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp]
-13, [orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp]
-14, [orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp]
-15, [orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp]
-16, [orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp]
-17, [orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp]
-18, [orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp]
-19, [orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp]
-20, [orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp]
-21, [orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp]
-22, [orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp]
-23, [orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp]
-24, [orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp]
-25, [orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp]
-26, [orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp]
-27, [orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp]
-28, [orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp]
-29, [orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp]
-30, [orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp]
+1, [orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp, proto=17]
+2, [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp, proto=6]
+3, [orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+4, [orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+5, [orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+6, [orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+7, [orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+8, [orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+9, [orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+10, [orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+11, [orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+12, [orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+13, [orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+14, [orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+15, [orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+16, [orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+17, [orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+18, [orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+19, [orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+20, [orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+21, [orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+22, [orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+23, [orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+24, [orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+25, [orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+26, [orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+27, [orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+28, [orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+29, [orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
+30, [orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp, proto=17]
--- a/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	F	F	0	ShADad	6	1468	4	950	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	F	F	0	ShADad	6	1468	4	950	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.ppp/conn.log
+++ b/testing/btest/Baseline/core.ppp/conn.log
@ -5,9 +5,9 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-0.000000	CHhAvVGS1DHFjwGM9	::	135	ff02::1:ff00:3	136	icmp	-	0.008000	48	0	OTH	T	F	0	-	2	144	0	0	-
-0.016059	ClEkJM2Vm5giqnMf4h	::	135	ff02::1:ff00:4	136	icmp	-	0.002000	48	0	OTH	T	F	0	-	2	144	0	0	-
-0.669020	C4J4Th3PJpwUYZZ6gc	193.167.0.100	42834	193.167.100.100	443	udp	-	0.112400	4039	11996	SF	F	F	0	Dd	10	4319	12	12332	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+0.000000	CHhAvVGS1DHFjwGM9	::	135	ff02::1:ff00:3	136	icmp	-	0.008000	48	0	OTH	T	F	0	-	2	144	0	0	-	58
+0.016059	ClEkJM2Vm5giqnMf4h	::	135	ff02::1:ff00:4	136	icmp	-	0.002000	48	0	OTH	T	F	0	-	2	144	0	0	-	58
+0.669020	C4J4Th3PJpwUYZZ6gc	193.167.0.100	42834	193.167.100.100	443	udp	-	0.112400	4039	11996	SF	F	F	0	Dd	10	4319	12	12332	-	17
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.pppoe-over-qinq/conn.log
+++ b/testing/btest/Baseline/core.pppoe-over-qinq/conn.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.1	20394	2.2.2.2	443	tcp	-	273.626833	11352	4984	SF	F	F	0	ShADdtaTTtFf	44	25283	42	13001	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.1	20394	2.2.2.2	443	tcp	-	273.626833	11352	4984	SF	F	F	0	ShADdtaTTtFf	44	25283	42	13001	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.pppoe/conn.log
+++ b/testing/btest/Baseline/core.pppoe/conn.log
@ -5,13 +5,13 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	T	T	0	-	5	500	5	500	-
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	T	T	0	-	1	64	0	0	-
-XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	T	T	0	D	2	288	0	0	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	T	F	0	-	1	64	0	0	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	T	F	0	-	8	608	0	0	-
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	T	F	0	-	1	48	0	0	-
-XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	T	F	0	D	2	210	0	0	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	T	T	0	-	5	500	5	500	-	58
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	T	T	0	-	1	64	0	0	-	58
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	T	T	0	D	2	288	0	0	-	17
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	T	F	0	-	1	64	0	0	-	58
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	T	F	0	-	8	608	0	0	-	58
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	T	F	0	-	1	48	0	0	-	58
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	T	F	0	D	2	210	0	0	-	17
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.print-bpf-filters/conn.log
+++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	http	0.004152	9	3429	SF	T	T	0	ShADadfF	7	381	7	3801	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	http	0.004152	9	3429	SF	T	T	0	ShADadfF	7	381	7	3801	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.q-in-q/conn.log
+++ b/testing/btest/Baseline/core.q-in-q/conn.log
@ -5,8 +5,8 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	T	T	0	D	2	92	0	0	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	F	F	0	D	2	608	0	0	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	T	T	0	D	2	92	0	0	-	17
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	F	F	0	D	2	608	0	0	-	17
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.radiotap/conn.log
+++ b/testing/btest/Baseline/core.radiotap/conn.log
@ -5,8 +5,8 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	T	F	0	Dd	1	63	1	156	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	T	F	0	D	1	328	0	0	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	T	F	0	Dd	1	63	1	156	-	17
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	T	F	0	D	1	328	0	0	-	17
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.reassembly/output
+++ b/testing/btest/Baseline/core.reassembly/output
@ -23,10 +23,10 @@ net_weird, truncated_IP_len
 net_weird, truncated_IP_len
 net_weird, truncated_IP_len
 net_weird, truncated_IP_len
-rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliidlhd, A
-rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], dgphrodofqhq, orgmmpelofil, A
-rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], lenhfdqhqfgs, dfpqssidkpdg, A
-rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliislrr, A
-rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], iokgedlsdkjkiefgmeqkfjoh, ggdeolssksemrhedoledddml, A
+rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp, proto=6], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliidlhd, A
+rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp, proto=6], dgphrodofqhq, orgmmpelofil, A
+rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp, proto=6], lenhfdqhqfgs, dfpqssidkpdg, A
+rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp, proto=6], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliislrr, A
+rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp, proto=6], iokgedlsdkjkiefgmeqkfjoh, ggdeolssksemrhedoledddml, A
 net_weird, truncated_IP_len
-rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?>\x0d\x0a<g:searchrequest xmlns:g=, OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?igplqgeqsonkllfshdjplhjspmde, AP
+rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp, proto=6], OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?>\x0d\x0a<g:searchrequest xmlns:g=, OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?igplqgeqsonkllfshdjplhjspmde, AP
--- a/testing/btest/Baseline/core.skip_analyzer/conn.log
+++ b/testing/btest/Baseline/core.skip_analyzer/conn.log
@ -5,13 +5,13 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	66.59.111.190	40264	172.28.2.3	22	tcp	-	3.157831	952	1671	SF	F	T	0	ShAdDaFf	12	1584	10	2199	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	66.59.111.190	123	18.26.4.105	123	udp	-	0.074086	48	48	SF	F	F	0	Dd	1	76	1	76	-
-XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	66.59.111.190	123	66.59.111.182	123	udp	-	0.056629	48	48	SF	F	F	0	Dd	1	76	1	76	-
-XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	66.59.111.190	123	129.170.17.4	123	udp	-	0.072374	48	48	SF	F	F	0	Dd	1	76	1	76	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	66.59.111.190	8	172.28.2.3	0	icmp	-	3.061298	224	224	OTH	F	T	0	-	4	336	4	336	-
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	66.59.111.190	37675	172.28.2.3	53	udp	-	5.001141	66	0	S0	F	T	0	D	2	122	0	0	-
-XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	172.28.2.3	3	66.59.111.190	3	icmp	-	4.994662	122	0	OTH	T	F	0	-	2	178	0	0	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	66.59.111.190	40264	172.28.2.3	22	tcp	-	3.157831	952	1671	SF	F	T	0	ShAdDaFf	12	1584	10	2199	-	6
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	66.59.111.190	123	18.26.4.105	123	udp	-	0.074086	48	48	SF	F	F	0	Dd	1	76	1	76	-	17
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	66.59.111.190	123	66.59.111.182	123	udp	-	0.056629	48	48	SF	F	F	0	Dd	1	76	1	76	-	17
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	66.59.111.190	123	129.170.17.4	123	udp	-	0.072374	48	48	SF	F	F	0	Dd	1	76	1	76	-	17
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	66.59.111.190	8	172.28.2.3	0	icmp	-	3.061298	224	224	OTH	F	T	0	-	4	336	4	336	-	1
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	66.59.111.190	37675	172.28.2.3	53	udp	-	5.001141	66	0	S0	F	T	0	D	2	122	0	0	-	17
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	172.28.2.3	3	66.59.111.190	3	icmp	-	4.994662	122	0	OTH	T	F	0	-	2	178	0	0	-	1
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.suspend_processing.broker/worker..stdout
+++ b/testing/btest/Baseline/core.suspend_processing.broker/worker..stdout
@ -4,6 +4,6 @@
 0.0, Broker::peer_added
 0.0, do_continue_processing
 1362692526.869344, network_time_init
-1362692526.869344, new_connection, CHhAvVGS1DHFjwGM9, [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
+1362692526.869344, new_connection, CHhAvVGS1DHFjwGM9, [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6]
 1362692527.080972, Pcap::file_done, <...>/get.trace
 1362692527.080972, zeek_done
--- a/testing/btest/Baseline/core.tcp-padding/conn.log
+++ b/testing/btest/Baseline/core.tcp-padding/conn.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	167.221.30.181	59406	217.207.159.63	27272	tcp	http	10.914549	16	191	SF	F	F	0	ShADadfF	13	704	12	823	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	167.221.30.181	59406	217.207.159.63	27272	tcp	http	10.914549	16	191	SF	F	F	0	ShADadfF	13	704	12	823	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.tcp.flip-without-syn/conn.log
+++ b/testing/btest/Baseline/core.tcp.flip-without-syn/conn.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	6669	192.150.187.43	80	tcp	http	0.141744	136	5007	SF	F	F	0	^hADadFf	6	456	7	5371	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	6669	192.150.187.43	80	tcp	http	0.141744	136	5007	SF	F	F	0	^hADadFf	6	456	7	5371	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
@ -5,9 +5,9 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	T	T	0	ShAdfFa	5	272	4	486	-
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	T	T	5416642848	ShAdgfFa	13	688	12	24454	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	T	T	0	ShAdDaFf	31	1728	18	1985	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	T	T	0	ShAdfFa	5	272	4	486	-	6
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	T	T	5416642848	ShAdgfFa	13	688	12	24454	-	6
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	T	T	0	ShAdDaFf	31	1728	18	1985	-	6
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
@ -7,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
-XXXXXXXXXX.XXXXXX	FnoIda1WW6kUCpRjRc	ClEkJM2Vm5giqnMf4h	192.168.56.1	59763	192.168.56.101	63988	FTP_DATA	0	DATA_EVENT	text/plain	-	0.000000	T	F	270	-	0	0	F	-	-	-	-	-	-	-
-XXXXXXXXXX.XXXXXX	F1jSMF2ntWAIdj4juj	C4J4Th3PJpwUYZZ6gc	192.168.56.1	59764	192.168.56.101	37150	FTP_DATA	0	DATA_EVENT	text/plain	-	150.490904	T	F	23822	-	5416642848	0	F	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	Fjmqwy1FKo9XjnwYM8	ClEkJM2Vm5giqnMf4h	192.168.56.1	59763	192.168.56.101	63988	FTP_DATA	0	DATA_EVENT	text/plain	-	0.000000	T	F	270	-	0	0	F	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	F2icTy1PCA9KUdZ0U3	C4J4Th3PJpwUYZZ6gc	192.168.56.1	59764	192.168.56.101	37150	FTP_DATA	0	DATA_EVENT	text/plain	-	150.490904	T	F	23822	-	5416642848	0	F	-	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/Show more
+++ b/Show more
				`@ -0,0 +1 @@`
				`zeek_add_plugin(Zeek UnknownIP SOURCES UnknownIPTransport.cc UnknownIPSessionAdapter.cc Plugin.cc)`