diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek
index 5de8469709..f399d1efeb 100644
--- a/scripts/base/protocols/conn/main.zeek
+++ b/scripts/base/protocols/conn/main.zeek
@@ -158,9 +158,11 @@ export {
 		## *uid* values for any encapsulating parent connections
 		## used over the lifetime of this inner connection.
 		tunnel_parents: set[string] &log &optional;
-		## The numeric identifier for the transport protocol for this
-		## connection.
-		protocol_id:   count      &log &optional;
+		## For IP-based connections, this contains the protocol
+		## identifier passed in the IP header. This is different
+		## from the ``proto`` field in that this value comes
+		## directly from the header.
+		ip_proto:   count      &log &optional;
 	};
 
 	## Event that can be handled to access the :zeek:type:`Conn::Info`
@@ -285,7 +287,7 @@ function set_conn(c: connection, eoc: bool)
 			c$conn$history=c$history;
 		}
 
-	c$conn$protocol_id = c$id$proto;
+	c$conn$ip_proto = c$id$proto;
 	}
 
 event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
diff --git a/scripts/policy/protocols/conn/protocol-strings.zeek b/scripts/policy/protocols/conn/protocol-strings.zeek
index 67770a7fa6..57ae8f560e 100644
--- a/scripts/policy/protocols/conn/protocol-strings.zeek
+++ b/scripts/policy/protocols/conn/protocol-strings.zeek
@@ -1,12 +1,12 @@
-##! This script adds a string version of the protocol_id field
+##! This script adds a string version of the ip_proto field
 
 @load base/protocols/conn
 
 module Conn;
 
 redef record Info += {
-	## A string version of the protocol_id field
-	protocol_name: string &log &optional;
+	## A string version of the ip_proto field
+	ip_proto_name: string &log &optional;
 };
 
 global protocol_names: table[count] of string = {
@@ -159,9 +159,9 @@ global protocol_names: table[count] of string = {
 };
 
 event connection_state_remove(c: connection) {
-	if ( c$conn$protocol_id in protocol_names ) {
-		c$conn$protocol_name = protocol_names[c$conn$protocol_id];
+	if ( c$conn$ip_proto in protocol_names ) {
+		c$conn$ip_proto_name = protocol_names[c$conn$ip_proto];
 	} else {
-		c$conn$protocol_name = "unknown";
+		c$conn$ip_proto_name = "unknown";
 	}
 }
diff --git a/testing/btest/Baseline/core.checksums_ignore_nets/conn-failed.log b/testing/btest/Baseline/core.checksums_ignore_nets/conn-failed.log
index 46fc41609a..63ac7a3cbe 100644
--- a/testing/btest/Baseline/core.checksums_ignore_nets/conn-failed.log
+++ b/testing/btest/Baseline/core.checksums_ignore_nets/conn-failed.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.28	53246	35.221.46.9	80	tcp	-	-	-	-	OTH	T	F	0	C	0	0	0	0	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	35.221.46.9	80	192.168.1.28	53246	tcp	-	0.063810	432	0	SH	F	T	0	HcADF	4	604	0	0	-	6
diff --git a/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked-multi-subnets.log b/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked-multi-subnets.log
index e77f661aa3..ed25e41682 100644
--- a/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked-multi-subnets.log
+++ b/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked-multi-subnets.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.28	53246	35.221.46.9	80	tcp	-	0.091969	74	432	SF	T	F	0	ShADadFf	6	338	4	604	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked.log b/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked.log
index e77f661aa3..ed25e41682 100644
--- a/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked.log
+++ b/testing/btest/Baseline/core.checksums_ignore_nets/conn-worked.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.28	53246	35.221.46.9	80	tcp	-	0.091969	74	432	SF	T	F	0	ShADadFf	6	338	4	604	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.cisco-fabric-path/conn.log b/testing/btest/Baseline/core.cisco-fabric-path/conn.log
index 96a8d2dce0..56cf48cf12 100644
--- a/testing/btest/Baseline/core.cisco-fabric-path/conn.log
+++ b/testing/btest/Baseline/core.cisco-fabric-path/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C7fIlMZDuRiqjpYbb	1.1.1.6	57005	2.2.2.2	48879	tcp	-	0.001018	0	0	S0	F	F	0	S	2	80	0	0	-	6
 XXXXXXXXXX.XXXXXX	CykQaM33ztNt0csB9a	1.1.1.4	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	F	F	0	S	2	80	0	0	-	6
diff --git a/testing/btest/Baseline/core.erspanI/conn.log b/testing/btest/Baseline/core.erspanI/conn.log
index afa9bc1608..2f13900f08 100644
--- a/testing/btest/Baseline/core.erspanI/conn.log
+++ b/testing/btest/Baseline/core.erspanI/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.16.133.2	8	172.217.11.78	0	icmp	-	0.014360	280	280	OTH	T	F	0	-	5	420	5	420	CHhAvVGS1DHFjwGM9	1
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.erspanII/conn.log b/testing/btest/Baseline/core.erspanII/conn.log
index c6eebbda12..766d2f798b 100644
--- a/testing/btest/Baseline/core.erspanII/conn.log
+++ b/testing/btest/Baseline/core.erspanII/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	23.0.0.2	8	23.0.0.3	0	icmp	-	0.001727	144	144	OTH	F	F	0	-	2	200	2	200	CHhAvVGS1DHFjwGM9	1
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.erspanIII/conn.log b/testing/btest/Baseline/core.erspanIII/conn.log
index d63d5f3aca..d96853e068 100644
--- a/testing/btest/Baseline/core.erspanIII/conn.log
+++ b/testing/btest/Baseline/core.erspanIII/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.15.47	8	1.1.1.1	0	icmp	-	0.004305	56	56	OTH	T	F	0	-	1	84	1	84	CHhAvVGS1DHFjwGM9	1
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.expire-all-timers/conn-all.log b/testing/btest/Baseline/core.expire-all-timers/conn-all.log
index 9c14b0910d..eb02860234 100644
--- a/testing/btest/Baseline/core.expire-all-timers/conn-all.log
+++ b/testing/btest/Baseline/core.expire-all-timers/conn-all.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	51889	192.168.0.1	80	tcp	-	0.000010	18	0	OTH	T	T	0	Da	1	58	1	40	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.1	51889	192.168.0.1	80	tcp	-	-	-	-	OTH	T	T	0	D	1	58	0	0	-	6
diff --git a/testing/btest/Baseline/core.expire-all-timers/conn-limited.log b/testing/btest/Baseline/core.expire-all-timers/conn-limited.log
index c5ed95e3ff..61bf0fc97a 100644
--- a/testing/btest/Baseline/core.expire-all-timers/conn-limited.log
+++ b/testing/btest/Baseline/core.expire-all-timers/conn-limited.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	51889	192.168.0.1	80	tcp	-	300.000010	18	0	OTH	T	T	0	DaT	2	116	1	40	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.history-flip/conn.log b/testing/btest/Baseline/core.history-flip/conn.log
index d259b2ac7a..26f8b8917f 100644
--- a/testing/btest/Baseline/core.history-flip/conn.log
+++ b/testing/btest/Baseline/core.history-flip/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id	orig_l2_addr	resp_l2_addr
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count	string	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	F	F	0	^hADdFaf	11	670	10	9945	-	6	00:d0:03:3b:f4:00	00:b0:c2:86:ec:00
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.mpls-in-vlan/conn.log b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
index 61557e3969..30ac39ffb9 100644
--- a/testing/btest/Baseline/core.mpls-in-vlan/conn.log
+++ b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	F	F	0	D	1	257	0	0	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	F	F	0	^d	0	0	1	1500	-	6
diff --git a/testing/btest/Baseline/core.pbb/conn.log b/testing/btest/Baseline/core.pbb/conn.log
index 4afae56d39..0c2150a195 100644
--- a/testing/btest/Baseline/core.pbb/conn.log
+++ b/testing/btest/Baseline/core.pbb/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.199.242.132	0	224.0.0.5	0	unknown_transport	-	-	-	-	OTH	T	F	0	-	1	76	0	0	-	89
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	10.199.245.2	0	224.0.0.18	0	unknown_transport	-	-	-	-	OTH	T	F	0	-	1	40	0	0	-	112
diff --git a/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log b/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
index 2a11311c4c..db72e48d26 100644
--- a/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	F	F	0	D	1	73	0	0	-	17
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
diff --git a/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log b/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
index f7ee4aab84..6d9a3a2af7 100644
--- a/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	F	F	0	ShADad	6	1468	4	950	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.ppp/conn.log b/testing/btest/Baseline/core.ppp/conn.log
index 26ec6cdf2c..300a44cdb0 100644
--- a/testing/btest/Baseline/core.ppp/conn.log
+++ b/testing/btest/Baseline/core.ppp/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 0.000000	CHhAvVGS1DHFjwGM9	::	135	ff02::1:ff00:3	136	icmp	-	0.008000	48	0	OTH	T	F	0	-	2	144	0	0	-	58
 0.016059	ClEkJM2Vm5giqnMf4h	::	135	ff02::1:ff00:4	136	icmp	-	0.002000	48	0	OTH	T	F	0	-	2	144	0	0	-	58
diff --git a/testing/btest/Baseline/core.pppoe-over-qinq/conn.log b/testing/btest/Baseline/core.pppoe-over-qinq/conn.log
index a243cefa1f..4225bae72f 100644
--- a/testing/btest/Baseline/core.pppoe-over-qinq/conn.log
+++ b/testing/btest/Baseline/core.pppoe-over-qinq/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.1	20394	2.2.2.2	443	tcp	-	273.626833	11352	4984	SF	F	F	0	ShADdtaTTtFf	44	25283	42	13001	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.pppoe/conn.log b/testing/btest/Baseline/core.pppoe/conn.log
index ea2a080728..5e5a5b0468 100644
--- a/testing/btest/Baseline/core.pppoe/conn.log
+++ b/testing/btest/Baseline/core.pppoe/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	T	T	0	-	5	500	5	500	-	58
 XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	T	T	0	-	1	64	0	0	-	58
diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log
index 90a2b76787..e4a0577ab3 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/conn.log
+++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	http	0.004152	9	3429	SF	T	T	0	ShADadfF	7	381	7	3801	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.q-in-q/conn.log b/testing/btest/Baseline/core.q-in-q/conn.log
index be16ff6f39..6bf24260b7 100644
--- a/testing/btest/Baseline/core.q-in-q/conn.log
+++ b/testing/btest/Baseline/core.q-in-q/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	T	T	0	D	2	92	0	0	-	17
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	F	F	0	D	2	608	0	0	-	17
diff --git a/testing/btest/Baseline/core.radiotap/conn.log b/testing/btest/Baseline/core.radiotap/conn.log
index 4f8e6dd0ac..8e0a3e45fe 100644
--- a/testing/btest/Baseline/core.radiotap/conn.log
+++ b/testing/btest/Baseline/core.radiotap/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	T	F	0	Dd	1	63	1	156	-	17
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	T	F	0	D	1	328	0	0	-	17
diff --git a/testing/btest/Baseline/core.skip_analyzer/conn.log b/testing/btest/Baseline/core.skip_analyzer/conn.log
index ab19a38a2a..868ec02855 100644
--- a/testing/btest/Baseline/core.skip_analyzer/conn.log
+++ b/testing/btest/Baseline/core.skip_analyzer/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	66.59.111.190	40264	172.28.2.3	22	tcp	-	3.157831	952	1671	SF	F	T	0	ShAdDaFf	12	1584	10	2199	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	66.59.111.190	123	18.26.4.105	123	udp	-	0.074086	48	48	SF	F	F	0	Dd	1	76	1	76	-	17
diff --git a/testing/btest/Baseline/core.tcp-padding/conn.log b/testing/btest/Baseline/core.tcp-padding/conn.log
index d2c640cd70..fe59a0cebe 100644
--- a/testing/btest/Baseline/core.tcp-padding/conn.log
+++ b/testing/btest/Baseline/core.tcp-padding/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	167.221.30.181	59406	217.207.159.63	27272	tcp	http	10.914549	16	191	SF	F	F	0	ShADadfF	13	704	12	823	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tcp.flip-without-syn/conn.log b/testing/btest/Baseline/core.tcp.flip-without-syn/conn.log
index 4d9da1cc29..d188d7b379 100644
--- a/testing/btest/Baseline/core.tcp.flip-without-syn/conn.log
+++ b/testing/btest/Baseline/core.tcp.flip-without-syn/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	6669	192.150.187.43	80	tcp	http	0.141744	136	5007	SF	F	F	0	^hADadFf	6	456	7	5371	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
index f47c447742..008b059bee 100644
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	T	T	0	ShAdfFa	5	272	4	486	-	6
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	T	T	5416642848	ShAdgfFa	13	688	12	24454	-	6
diff --git a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
index a91d8f1ac1..d4bcfcc896 100644
--- a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
+++ b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	T	F	2902	ShADafgF	5	750	4	172	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tcp.missing-syn/conn.log b/testing/btest/Baseline/core.tcp.missing-syn/conn.log
index ecde49102f..d23c875c5b 100644
--- a/testing/btest/Baseline/core.tcp.missing-syn/conn.log
+++ b/testing/btest/Baseline/core.tcp.missing-syn/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	F	F	0	^hADdFaf	11	670	10	9945	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tcp.reassembly-known-ports/conn.log b/testing/btest/Baseline/core.tcp.reassembly-known-ports/conn.log
index 1322982fef..f93de33f57 100644
--- a/testing/btest/Baseline/core.tcp.reassembly-known-ports/conn.log
+++ b/testing/btest/Baseline/core.tcp.reassembly-known-ports/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	tcp	http	0.211484	136	5007	SF	F	F	0	ShADadFf	7	512	7	5379	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
index 456bf858cc..5eca7f3123 100644
--- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
+++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.88.85	50368	192.168.0.27	80	tcp	-	60.991770	474	23783	RSTO	T	T	24257	ShADaGdgtR	17	1250	22	28961	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
index 24d4397579..df62885556 100644
--- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
+++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	F	F	0	D	1	73	0	0	-	17
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	T	F	0	D	1	199	0	0	-	17
diff --git a/testing/btest/Baseline/core.tunnels.analyzer-confirmation/conn.log b/testing/btest/Baseline/core.tunnels.analyzer-confirmation/conn.log
index c481f8b39e..333b071ceb 100644
--- a/testing/btest/Baseline/core.tunnels.analyzer-confirmation/conn.log
+++ b/testing/btest/Baseline/core.tunnels.analyzer-confirmation/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.1.200.131	50000	10.1.1.172	4789	udp	vxlan	0.627090	10203	0	S0	T	T	0	D	12	10539	0	0	-	17
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.16.11.201	40354	54.86.237.188	80	tcp	http	0.627052	87	9212	SF	T	F	0	ShADadFf	7	459	5	9480	CHhAvVGS1DHFjwGM9	6
diff --git a/testing/btest/Baseline/core.tunnels.ayiya/conn.log b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
index ff94a16dc7..0a88bbb473 100644
--- a/testing/btest/Baseline/core.tunnels.ayiya/conn.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	::	135	ff02::1:ff00:2	136	icmp	-	-	-	-	OTH	T	F	0	-	1	64	0	0	C4J4Th3PJpwUYZZ6gc	58
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	T	F	0	^d	0	0	1	176	-	17
diff --git a/testing/btest/Baseline/core.tunnels.geneve-47101/conn.log b/testing/btest/Baseline/core.tunnels.geneve-47101/conn.log
index 42260e5e18..769ab01ac6 100644
--- a/testing/btest/Baseline/core.tunnels.geneve-47101/conn.log
+++ b/testing/btest/Baseline/core.tunnels.geneve-47101/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	47101	127.0.0.1	6081	udp	geneve	1.025005	25684	0	S0	T	T	0	D	24	26356	0	0	-	17
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.0.107	45474	145.40.68.75	443	tcp	ssl	1.024744	781	23111	SF	T	F	0	ShADadFf	15	1569	9	23587	CHhAvVGS1DHFjwGM9	6
diff --git a/testing/btest/Baseline/core.tunnels.geneve-many-options/conn.log b/testing/btest/Baseline/core.tunnels.geneve-many-options/conn.log
index 4bbeec7728..0e5f7c4b9a 100644
--- a/testing/btest/Baseline/core.tunnels.geneve-many-options/conn.log
+++ b/testing/btest/Baseline/core.tunnels.geneve-many-options/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.226	39088	95.217.228.176	80	tcp	-	0.555571	81	577	SF	T	F	0	ShADadFf	6	401	4	793	CHhAvVGS1DHFjwGM9	6
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.33.179	6667	192.168.179.33	6081	udp	geneve	0.555579	2174	0	S0	T	T	0	D	10	2454	0	0	-	17
diff --git a/testing/btest/Baseline/core.tunnels.geneve-truncated/conn.log b/testing/btest/Baseline/core.tunnels.geneve-truncated/conn.log
index 98b5c0de3f..e425c2c33b 100644
--- a/testing/btest/Baseline/core.tunnels.geneve-truncated/conn.log
+++ b/testing/btest/Baseline/core.tunnels.geneve-truncated/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	20.0.0.1	50901	20.0.0.2	6081	udp	geneve	-	-	-	S0	F	F	0	D	1	44	0	0	-	17
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log
index 0bd7b91033..1f61be4afc 100644
--- a/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log
+++ b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.16.11.201	36872	1.1.1.1	53	udp	dns	2.000009	54	74	SF	T	F	0	Dd	1	82	1	102	ClEkJM2Vm5giqnMf4h	17
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	11803	127.0.0.1	6081	udp	geneve	2.000009	300	0	S0	T	T	0	D	2	356	0	0	-	17
diff --git a/testing/btest/Baseline/core.tunnels.geneve/conn.log b/testing/btest/Baseline/core.tunnels.geneve/conn.log
index 0764012724..2e823bc129 100644
--- a/testing/btest/Baseline/core.tunnels.geneve/conn.log
+++ b/testing/btest/Baseline/core.tunnels.geneve/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	20.0.0.2	0	20.0.0.1	6081	udp	geneve	1.999999	318	0	S0	F	F	0	D	3	402	0	0	-	17
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	20.0.0.1	50901	20.0.0.2	6081	udp	geneve	1.999995	342	0	S0	F	F	0	D	3	426	0	0	-	17
diff --git a/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log b/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log
index 8d34056b0c..3567c2afbd 100644
--- a/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre-aruba-amsdu/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	157.240.18.16	443	149.159.130.184	49392	tcp	-	-	-	-	OTH	F	F	0	D	2	356	0	0	CHhAvVGS1DHFjwGM9	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log b/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
index b8d7c41d59..4ad2045f37 100644
--- a/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	3.3.3.1	520	224.0.0.9	520	udp	-	28.555457	168	0	S0	F	F	0	D	2	224	0	0	ClEkJM2Vm5giqnMf4h	17
 XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	3.3.3.2	520	224.0.0.9	520	udp	-	26.148268	48	0	S0	F	F	0	D	2	104	0	0	ClEkJM2Vm5giqnMf4h	17
diff --git a/testing/btest/Baseline/core.tunnels.gre-over-udp/conn.log b/testing/btest/Baseline/core.tunnels.gre-over-udp/conn.log
index fb0ba53ae0..5cf2c30bcc 100644
--- a/testing/btest/Baseline/core.tunnels.gre-over-udp/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre-over-udp/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.17.0.2	51714	1.1.1.1	53	udp	dns	0.054277	52	171	SF	T	F	0	Dd	2	108	2	227	ClEkJM2Vm5giqnMf4h	17
 XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	172.17.0.2	36518	192.0.78.150	80	tcp	http	0.107970	72	379	SF	T	F	0	ShADadFf	6	332	4	551	ClEkJM2Vm5giqnMf4h	6
diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log
index 64752b07c5..27dbd98770 100644
--- a/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.16.44.3	40768	8.8.8.8	53	udp	dns	0.213894	71	146	SF	T	F	0	Dd	1	99	1	174	ClEkJM2Vm5giqnMf4h	17
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.gre/conn.log b/testing/btest/Baseline/core.tunnels.gre/conn.log
index f399ecfc98..f33fd09fb8 100644
--- a/testing/btest/Baseline/core.tunnels.gre/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	tcp	ssh	3.157831	952	1671	SF	F	T	0	ShAdDaFf	12	1584	10	2199	CHhAvVGS1DHFjwGM9	6
 XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	66.59.111.190	37675	172.28.2.3	53	udp	dns	5.001141	66	0	S0	F	T	0	D	2	122	0	0	CHhAvVGS1DHFjwGM9	17
diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
index 2c1fc5eeb8..ce5cb34566 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.131.17.170	51803	173.199.115.168	80	tcp	http	0.257902	1138	63424	S3	T	F	0	ShADadf	29	2310	49	65396	CHhAvVGS1DHFjwGM9,C4J4Th3PJpwUYZZ6gc	6
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	207.233.125.40	2152	167.55.105.244	2152	udp	gtpv1	0.251127	65788	0	S0	F	F	0	D	49	67160	0	0	-	17
diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
index 1b137102b9..9d234947d1 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.131.24.6	2152	195.178.38.3	53	udp	dns	-	-	-	S0	T	F	0	D	1	64	0	0	-	17
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
index 832476a0f2..8c067626e9 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::224c:4fff:fe43:414c	1234	ff02::1:3	5355	udp	dns	-	-	-	S0	T	F	0	D	1	80	0	0	CHhAvVGS1DHFjwGM9	17
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	118.92.124.41	2152	118.92.124.72	2152	udp	gtpv1	0.199236	152	0	S0	F	F	0	D	2	208	0	0	-	17
diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
index 847545732a..174be26ba7 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	10.131.42.160	62069	94.245.121.253	3544	udp	teredo	-	-	-	SHR	T	F	0	^d	0	0	1	84	C4J4Th3PJpwUYZZ6gc	17
 XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	10.131.112.102	51403	94.245.121.253	3544	udp	teredo	-	-	-	SHR	T	F	0	^d	0	0	1	84	Ck51lg1bScffFj34Ri	17
diff --git a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
index 01502a6d27..0281895337 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	247.56.43.214	2152	237.56.101.238	2152	udp	-	0.028676	12	14	SF	T	F	0	Dd	1	40	1	42	-	17
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	247.56.43.90	2152	247.56.43.248	2152	udp	-	-	-	-	S0	T	T	0	D	1	52	0	0	-	17
diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
index 3633460870..fecdceaef6 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.222.10.10	44960	173.194.69.188	5228	tcp	ssl	0.573499	704	1026	S1	T	F	0	ShADad	17	1604	14	1762	CHhAvVGS1DHFjwGM9	6
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	79.188.154.91	2152	243.149.173.198	2152	udp	gtpv1	0.573499	1740	1930	SF	F	T	0	Dd	17	2216	14	2322	-	17
diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
index c250df15b7..3d2cd2ab6e 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.131.47.185	1923	79.101.110.141	80	tcp	http	0.069783	2100	56702	SF	T	F	5760	ShADadfgF	27	3204	41	52594	CHhAvVGS1DHFjwGM9	6
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	239.114.155.111	2152	63.94.149.181	2152	udp	gtpv1	0.069813	3420	52922	SF	F	F	0	Dd	27	4176	41	54070	-	17
diff --git a/testing/btest/Baseline/core.tunnels.teredo/conn.log b/testing/btest/Baseline/core.tunnels.teredo/conn.log
index ec3d2c1d50..1a48fcf76c 100644
--- a/testing/btest/Baseline/core.tunnels.teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.teredo/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	T	F	0	^fA	1	40	1	40	-	6
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	T	F	0	^fA	1	40	1	40	-	6
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
index d82432e8c7..2d8311eea8 100644
--- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	0.010291	129	52	SF	T	F	0	Dd	2	185	1	80	-	17
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	T	F	0	^d	0	0	1	137	-	17
diff --git a/testing/btest/Baseline/core.tunnels.vxlan-unknown-internal-packet/conn.log b/testing/btest/Baseline/core.tunnels.vxlan-unknown-internal-packet/conn.log
index 42e12e155a..e8397d4146 100644
--- a/testing/btest/Baseline/core.tunnels.vxlan-unknown-internal-packet/conn.log
+++ b/testing/btest/Baseline/core.tunnels.vxlan-unknown-internal-packet/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.30.0.1	48036	172.30.0.2	4789	udp	-	-	-	-	OTH	T	T	0	C	0	0	0	0	-	17
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.30.0.1	45303	172.30.0.2	4789	udp	-	-	-	-	OTH	T	T	0	C	0	0	0	0	-	17
diff --git a/testing/btest/Baseline/core.tunnels.vxlan/conn.log b/testing/btest/Baseline/core.tunnels.vxlan/conn.log
index 11812bb5eb..995f6f3e26 100644
--- a/testing/btest/Baseline/core.tunnels.vxlan/conn.log
+++ b/testing/btest/Baseline/core.tunnels.vxlan/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	10.0.0.1	8	10.0.0.2	0	icmp	-	3.004616	224	224	OTH	T	T	0	-	4	336	4	336	CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc	1
 XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	192.168.56.12	38071	192.168.56.11	4789	udp	vxlan	3.004278	424	0	S0	T	T	0	D	4	536	0	0	-	17
diff --git a/testing/btest/Baseline/core.unknown-ip-protocol/conn.log b/testing/btest/Baseline/core.unknown-ip-protocol/conn.log
index 1b4882ad0f..ee0bb6dbc2 100644
--- a/testing/btest/Baseline/core.unknown-ip-protocol/conn.log
+++ b/testing/btest/Baseline/core.unknown-ip-protocol/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.170.8	0	192.168.170.56	0	unknown_transport	-	0.085447	0	0	OTH	T	T	0	-	37	33256	37	33524	-	132
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log
index 9b9e9c5e54..22da8ec65e 100644
--- a/testing/btest/Baseline/core.vlan-mpls/conn.log
+++ b/testing/btest/Baseline/core.vlan-mpls/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	T	T	0	SADF	11	470	0	0	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	F	F	0	ShADdFaf	12	730	10	9945	-	6
diff --git a/testing/btest/Baseline/core.vntag/conn.log b/testing/btest/Baseline/core.vntag/conn.log
index 7abf3b37b5..9d70e3e62b 100644
--- a/testing/btest/Baseline/core.vntag/conn.log
+++ b/testing/btest/Baseline/core.vntag/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.1	0	1.1.2.1	0	unknown_transport	-	0.000001	0	0	OTH	F	F	0	-	3	300	0	0	-	253
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.wlanmon/conn.log b/testing/btest/Baseline/core.wlanmon/conn.log
index 8b6f70e6e3..f2457cec63 100644
--- a/testing/btest/Baseline/core.wlanmon/conn.log
+++ b/testing/btest/Baseline/core.wlanmon/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.009303	35	128	SF	T	F	0	Dd	1	63	1	156	-	17
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	T	F	0	D	1	328	0	0	-	17
diff --git a/testing/btest/Baseline/coverage.record-fields/out.default b/testing/btest/Baseline/coverage.record-fields/out.default
index e5c415c548..4d4133cbb0 100644
--- a/testing/btest/Baseline/coverage.record-fields/out.default
+++ b/testing/btest/Baseline/coverage.record-fields/out.default
@@ -14,6 +14,7 @@ connection {
               * resp_h: addr, log=T, optional=F
               * resp_p: port, log=T, optional=F
              }
+        * ip_proto: count, log=T, optional=T
         * local_orig: bool, log=T, optional=T
         * local_resp: bool, log=T, optional=T
         * missed_bytes: count, log=T, optional=T
@@ -21,7 +22,6 @@ connection {
         * orig_ip_bytes: count, log=T, optional=T
         * orig_pkts: count, log=T, optional=T
         * proto: enum transport_proto, log=T, optional=F
-        * protocol_id: count, log=T, optional=T
         * resp_bytes: count, log=T, optional=T
         * resp_ip_bytes: count, log=T, optional=T
         * resp_pkts: count, log=T, optional=T
diff --git a/testing/btest/Baseline/opt.basic/conn.log b/testing/btest/Baseline/opt.basic/conn.log
index 24d4397579..df62885556 100644
--- a/testing/btest/Baseline/opt.basic/conn.log
+++ b/testing/btest/Baseline/opt.basic/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	F	F	0	D	1	73	0	0	-	17
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	T	F	0	D	1	199	0	0	-	17
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 905794b0fa..884e2bf4ca 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -3248,14 +3248,14 @@ XXXXXXXXXX.XXXXXX | HookDrainEvents
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Broker::__flush_logs, <frame>, ()) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Broker::flush_logs, <frame>, ()) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Broker::log_flush, <null>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=F, local_resp=F, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], tcp)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Conn::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6], Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<4692973652431675528>: function(path:string) : void, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=F, local_resp=F, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], tcp)) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Conn::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6], Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<4692973652431675528>: function(path:string) : void, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], T)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::finalize_http, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::finalize_http, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], T)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6], Conn::LOG)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6], Conn::LOG)) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Site::is_local_addr, <frame>, (141.142.228.5)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Site::is_local_addr, <frame>, (192.150.187.43)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, ..., ...) -> <no result>
@@ -3269,8 +3269,8 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(net_done, <null>, (XXXXXXXXXX.XXX
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(to_lower, <frame>, (HTTP)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 22, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string]), protocol_id (count)}) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 22, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string]), protocol_id (count)}, <void ptr>) -> true
+XXXXXXXXXX.XXXXXX   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 22, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string]), ip_proto (count)}) -> <void>
+XXXXXXXXXX.XXXXXX   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 22, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string]), ip_proto (count)}, <void ptr>) -> true
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(Broker::log_flush()) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]])) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], T)) -> false
@@ -3278,14 +3278,14 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Broker::__flush_logs, <frame>, ())
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Broker::flush_logs, <frame>, ())
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Broker::log_flush, <null>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=F, local_resp=F, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], tcp))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Conn::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6], Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<4692973652431675528>: function(path:string) : void, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=F, local_resp=F, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], tcp))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Conn::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6], Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<4692973652431675528>: function(path:string) : void, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::finalize_http, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::finalize_http, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6], Conn::LOG))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6], Conn::LOG))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Site::is_local_addr, <frame>, (141.142.228.5))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Site::is_local_addr, <frame>, (192.150.187.43))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, ..., ...)
@@ -3299,8 +3299,8 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(net_done, <null>, (XXXXXXXXXX.XXX
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(to_lower, <frame>, (HTTP))
 XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 22, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string]), protocol_id (count)})
-XXXXXXXXXX.XXXXXX   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 22, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string]), protocol_id (count)}, <void ptr>)
+XXXXXXXXXX.XXXXXX   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 22, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string]), ip_proto (count)})
+XXXXXXXXXX.XXXXXX   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 22, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string]), ip_proto (count)}, <void ptr>)
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(Broker::log_flush())
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], T))
@@ -3309,14 +3309,14 @@ XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX | HookCallFunction Broker::__flush_logs()
 XXXXXXXXXX.XXXXXX | HookCallFunction Broker::flush_logs()
 XXXXXXXXXX.XXXXXX | HookCallFunction Broker::log_flush()
-XXXXXXXXXX.XXXXXX | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=F, local_resp=F, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], tcp)
-XXXXXXXXXX.XXXXXX | HookCallFunction Conn::log_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6], Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<4692973652431675528>: function(path:string) : void, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
+XXXXXXXXXX.XXXXXX | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=F, local_resp=F, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], tcp)
+XXXXXXXXXX.XXXXXX | HookCallFunction Conn::log_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6], Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<4692973652431675528>: function(path:string) : void, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 XXXXXXXXXX.XXXXXX | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], T)
-XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::finalize_http([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]])
+XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::finalize_http([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]])
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], T)
-XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6])
-XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6], Conn::LOG)
-XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6])
+XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6])
+XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6], Conn::LOG)
+XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6])
 XXXXXXXXXX.XXXXXX | HookCallFunction Site::is_local_addr(141.142.228.5)
 XXXXXXXXXX.XXXXXX | HookCallFunction Site::is_local_addr(192.150.187.43)
 XXXXXXXXXX.XXXXXX | HookCallFunction cat(...)
@@ -3330,8 +3330,8 @@ XXXXXXXXXX.XXXXXX | HookCallFunction net_done(XXXXXXXXXX.XXXXXX)
 XXXXXXXXXX.XXXXXX | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction to_lower(HTTP)
 XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX | HookLogInit   conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string]), protocol_id (count)}
-XXXXXXXXXX.XXXXXX | HookLogWrite  conn [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6]
+XXXXXXXXXX.XXXXXX | HookLogInit   conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string]), ip_proto (count)}
+XXXXXXXXXX.XXXXXX | HookLogWrite  conn [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6]
 XXXXXXXXXX.XXXXXX | HookQueueEvent Broker::log_flush()
 XXXXXXXXXX.XXXXXX | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]])
 XXXXXXXXXX.XXXXXX | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]], T)
diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_raw b/testing/btest/Baseline/plugins.packet-protocol/output_raw
index ded3e7fbdc..53bd16af96 100644
--- a/testing/btest/Baseline/plugins.packet-protocol/output_raw
+++ b/testing/btest/Baseline/plugins.packet-protocol/output_raw
@@ -6,7 +6,7 @@ raw_layer_message (Message = 'I am encapsulating IP', Protocol = 4950)
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.22.214.60	8	192.0.78.150	0	icmp	-	-	-	-	OTH	T	F	0	-	1	28	0	0	-	1
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.22.214.60	8	192.0.78.212	0	icmp	-	-	-	-	OTH	T	F	0	-	1	28	0	0	-	1
diff --git a/testing/btest/Baseline/plugins.pktsrc/conn.log b/testing/btest/Baseline/plugins.pktsrc/conn.log
index bef93165a7..e1c6549fc9 100644
--- a/testing/btest/Baseline/plugins.pktsrc/conn.log
+++ b/testing/btest/Baseline/plugins.pktsrc/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.2.0.2	2527	1.2.0.3	6649	tcp	-	-	-	-	S0	F	F	0	S	1	64	0	0	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/conn.log b/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/conn.log
index c690193ecf..b61834776c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	F	F	0	Dd	-	-	-	-	-	17
 XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	F	F	0	Dd	-	-	-	-	-	17
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out
index 04e2fcf89f..ed8fd729c3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out
@@ -1,138 +1,138 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 [ts=XXXXXXXXXX.XXXXXX, uid=dnGM1AdIVyh, id=[orig_h=141.142.220.202, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown, proto=17], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=73, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=fv9q7WjEgp1, id=[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/unknown, resp_h=ff02::fb, resp_p=5353/unknown, proto=17], proto=udp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=199, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=0Ox0H56yl88, id=[orig_h=141.142.220.50, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown, proto=17], proto=udp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=179, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=rvmSc7rDQub, id=[orig_h=141.142.220.118, orig_p=43927/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=435.113907 usecs, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=ogkztouSArh, id=[orig_h=141.142.220.118, orig_p=37676/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=420.093536 usecs, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=0UIDdXFt7Tb, id=[orig_h=141.142.220.118, orig_p=40526/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=391.960144 usecs, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=WqFYV51UIq7, id=[orig_h=141.142.220.118, orig_p=32902/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=317.09671 usecs, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=ylcqZpbz6K2, id=[orig_h=141.142.220.118, orig_p=59816/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=343.084335 usecs, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=blhldTzA7Y6, id=[orig_h=141.142.220.118, orig_p=59714/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=375.032425 usecs, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=Sc34cGJo3Kg, id=[orig_h=141.142.220.118, orig_p=58206/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=339.031219 usecs, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=RzvFrfXSRfk, id=[orig_h=141.142.220.118, orig_p=38911/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=334.978104 usecs, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=GaaFI58mpbe, id=[orig_h=141.142.220.118, orig_p=59746/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=420.808792 usecs, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=tr7M6tvAIQa, id=[orig_h=141.142.220.118, orig_p=45000/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=384.092331 usecs, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=gV0TcSc2pb4, id=[orig_h=141.142.220.118, orig_p=48479/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=316.858292 usecs, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=MOG0z4PYOhk, id=[orig_h=141.142.220.118, orig_p=48128/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=422.954559 usecs, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=PlehgEduUyj, id=[orig_h=141.142.220.118, orig_p=56056/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=402.212143 usecs, orig_bytes=36, resp_bytes=131, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=159, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=4eZgk09f2Re, id=[orig_h=141.142.220.118, orig_p=55092/unknown, resp_h=141.142.2.2, resp_p=53/unknown, proto=17], proto=udp, service=dns, duration=374.078751 usecs, orig_bytes=36, resp_bytes=198, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=226, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=3xwJPc7mQ9a, id=[orig_h=141.142.220.44, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown, proto=17], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=85, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=yxTcvvTKWQ4, id=[orig_h=141.142.220.226, orig_p=137/unknown, resp_h=141.142.220.255, resp_p=137/unknown, proto=17], proto=udp, service=dns, duration=2.0 secs 613.0 msecs 16.843796 usecs, orig_bytes=350, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=7, orig_ip_bytes=546, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=8bLW3XNfhCj, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/unknown, resp_h=ff02::1:3, resp_p=5355/unknown, proto=17], proto=udp, service=dns, duration=100.0 msecs 96.225739 usecs, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=rqjhiiRPjEe, id=[orig_h=141.142.220.226, orig_p=55131/unknown, resp_h=224.0.0.252, resp_p=5355/unknown, proto=17], proto=udp, service=dns, duration=100.0 msecs 20.885468 usecs, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=hTPyfL3QSGa, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/unknown, resp_h=ff02::1:3, resp_p=5355/unknown, proto=17], proto=udp, service=dns, duration=99.0 msecs 801.063538 usecs, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=EruUQ9AJRj4, id=[orig_h=141.142.220.226, orig_p=55671/unknown, resp_h=224.0.0.252, resp_p=5355/unknown, proto=17], proto=udp, service=dns, duration=99.0 msecs 848.985672 usecs, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=sw1bKJOMjuk, id=[orig_h=141.142.220.238, orig_p=56641/unknown, resp_h=141.142.220.255, resp_p=137/unknown, proto=17], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=78, resp_pkts=0, resp_ip_bytes=0, tunnel_parents={
 
-}, protocol_id=17]
+}, ip_proto=17]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=NPHCuyWykE7, id=[orig_h=141.142.220.118, orig_p=48649/unknown, resp_h=208.80.152.118, resp_p=80/unknown, proto=6], proto=tcp, service=http, duration=119.0 msecs 904.994965 usecs, orig_bytes=525, resp_bytes=232, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=741, resp_pkts=3, resp_ip_bytes=396, tunnel_parents={
 
-}, protocol_id=6]
+}, ip_proto=6]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=VapPqRhPgJ4, id=[orig_h=141.142.220.118, orig_p=50000/unknown, resp_h=208.80.152.3, resp_p=80/unknown, proto=6], proto=tcp, service=http, duration=229.0 msecs 603.052139 usecs, orig_bytes=1148, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1468, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
 
-}, protocol_id=6]
+}, ip_proto=6]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=3607hh8C3bc, id=[orig_h=141.142.220.118, orig_p=49998/unknown, resp_h=208.80.152.3, resp_p=80/unknown, proto=6], proto=tcp, service=http, duration=215.0 msecs 893.030167 usecs, orig_bytes=1130, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1450, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
 
-}, protocol_id=6]
+}, ip_proto=6]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=tgYMrIvzDSg, id=[orig_h=141.142.220.118, orig_p=49996/unknown, resp_h=208.80.152.3, resp_p=80/unknown, proto=6], proto=tcp, service=http, duration=218.0 msecs 501.091003 usecs, orig_bytes=1171, resp_bytes=733, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1491, resp_pkts=4, resp_ip_bytes=949, tunnel_parents={
 
-}, protocol_id=6]
+}, ip_proto=6]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=xQsjPwNBrXd, id=[orig_h=141.142.220.118, orig_p=50001/unknown, resp_h=208.80.152.3, resp_p=80/unknown, proto=6], proto=tcp, service=http, duration=227.0 msecs 283.95462 usecs, orig_bytes=1178, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1498, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
 
-}, protocol_id=6]
+}, ip_proto=6]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=Ap3GzMI1vM9, id=[orig_h=141.142.220.118, orig_p=35642/unknown, resp_h=208.80.152.2, resp_p=80/unknown, proto=6], proto=tcp, service=http, duration=120.0 msecs 40.893555 usecs, orig_bytes=534, resp_bytes=412, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=750, resp_pkts=3, resp_ip_bytes=576, tunnel_parents={
 
-}, protocol_id=6]
+}, ip_proto=6]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=FTVcgrmNy52, id=[orig_h=141.142.220.118, orig_p=49997/unknown, resp_h=208.80.152.3, resp_p=80/unknown, proto=6], proto=tcp, service=http, duration=219.0 msecs 720.125198 usecs, orig_bytes=1125, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1445, resp_pkts=4, resp_ip_bytes=950, tunnel_parents={
 
-}, protocol_id=6]
+}, ip_proto=6]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=1xFx4PGdeq5, id=[orig_h=141.142.220.235, orig_p=6705/unknown, resp_h=173.192.163.128, resp_p=80/unknown, proto=6], proto=tcp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=OTH, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=h, orig_pkts=0, orig_ip_bytes=0, resp_pkts=1, resp_ip_bytes=48, tunnel_parents={
 
-}, protocol_id=6]
+}, ip_proto=6]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=WIG1ud65z22, id=[orig_h=141.142.220.118, orig_p=35634/unknown, resp_h=208.80.152.2, resp_p=80/unknown, proto=6], proto=tcp, service=<uninitialized>, duration=61.0 msecs 328.887939 usecs, orig_bytes=463, resp_bytes=350, conn_state=OTH, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=DdA, orig_pkts=2, orig_ip_bytes=567, resp_pkts=1, resp_ip_bytes=402, tunnel_parents={
 
-}, protocol_id=6]
+}, ip_proto=6]
 0
 [ts=XXXXXXXXXX.XXXXXX, uid=o2gAkl4V7sa, id=[orig_h=141.142.220.118, orig_p=49999/unknown, resp_h=208.80.152.3, resp_p=80/unknown, proto=6], proto=tcp, service=http, duration=220.0 msecs 960.855484 usecs, orig_bytes=1137, resp_bytes=733, conn_state=S1, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1457, resp_pkts=4, resp_ip_bytes=949, tunnel_parents={
 
-}, protocol_id=6]
+}, ip_proto=6]
 0
 End of data
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.delay.example/.stdout b/testing/btest/Baseline/scripts.base.frameworks.logging.delay.example/.stdout
index 5b280a4105..f6c186d7a7 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.delay.example/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.delay.example/.stdout
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 1362692527.080972, Pcap::file_done
-1362692527.080972, log_stream_policy, Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=<uninitialized>, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, protocol_id=6, orig_name=<uninitialized>, resp_name=<uninitialized>]
+1362692527.080972, log_stream_policy, Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6], proto=tcp, service=<uninitialized>, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>, ip_proto=6, orig_name=<uninitialized>, resp_name=<uninitialized>]
 1362692527.080972, token1 delay hook
 1362692527.080972, token2 delay hook
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log
index acb6db1b98..2f066f9a25 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	_write_ts	_stream	_innerLogged.a	_innerLogged.c	_innerLogged.d	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	_write_ts	_stream	_innerLogged.a	_innerLogged.c	_innerLogged.d	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	count	count	set[count]	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	conn	1	3	4,2,3,1	-	XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	F	F	0	H	1	48	0	0	-	6
 XXXXXXXXXX.XXXXXX	conn	1	3	4,2,3,1	-	XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-include-exclude/conn-exc.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-include-exclude/conn-exc.log
index 3c119881f0..1bbdbdc7d7 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-include-exclude/conn-exc.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-include-exclude/conn-exc.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn-exc
 #open XXXX-XX-XX-XX-XX-XX
-#fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	conn-exc	zeek	XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	F	F	0	H	1	48	0	0	-	6
 XXXXXXXXXX.XXXXXX	conn-exc	zeek	XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log
index 0a1d136633..a01d30fc21 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 -	-	-	XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	tcp	-	0.211484	136	5007	SF	F	F	0	ShADadFf	7	512	7	5379	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
index a8b8037116..973d1338cf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	_write_ts	_system_name	_undefined_string	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	_write_ts	_system_name	_undefined_string	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	zeek	-	XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	F	F	0	H	1	48	0	0	-	6
 XXXXXXXXXX.XXXXXX	zeek	-	XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
index 0b6957f75e..b656f4f243 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	conn	zeek	XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	F	F	0	H	1	48	0	0	-	6
 XXXXXXXXXX.XXXXXX	conn	zeek	XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log
index 0d34c600c0..a187985a03 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	src	src_port	dst	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	src	src_port	dst	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	F	F	0	H	1	48	0	0	-	6
 XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map2/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map2/conn.log
index 4369a1f595..a01a51807c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map2/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map2/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	src_ip	src_port	dst_ip	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	src_ip	src_port	dst_ip	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.2	49159	192.168.1.1	20000	tcp	-	0.463113	120	0	S0	T	T	0	SAD	5	332	0	0	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log
index 3d225ecd5c..38a674828e 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id_orig_h	id_orig_p	id_resp_h	id_resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id_orig_h	id_orig_p	id_resp_h	id_resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	F	F	0	H	1	48	0	0	-	6
 XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log
index 0d34c600c0..a187985a03 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	src	src_port	dst	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	src	src_port	dst	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	F	F	0	H	1	48	0	0	-	6
 XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	F	F	0	Dd	1	66	1	117	-	17
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
index fec0f1bdc5..e7758bb0a2 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.10.1.4	56166	10.10.1.1	53	udp	dns	0.034025	34	100	SF	T	T	0	Dd	1	62	1	128	-	17
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	10.10.1.20	138	10.10.1.255	138	udp	-	-	-	-	S0	T	T	0	D	1	229	0	0	-	17
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/conn.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/conn.log
index 2fe7974e00..fdff16b2f9 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	0.0.0.0	68	255.255.255.255	67	udp	dhcp	5.099034	1560	0	S0	T	T	0	D	6	1728	0	0	-	17
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	128.2.6.97	68	128.2.6.152	67	udp	dhcp	-	-	-	SHR	F	F	0	^d	0	0	1	395	-	17
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
index d0056a0f03..508a57d71d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.3.22.91	58218	10.167.25.101	21	tcp	ftp	600.931043	41420	159830	S1	T	T	233	ShAdDaGg	4139	206914	4178	326799	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/conn.log
index 2adce63859..abf5456c82 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51354	127.0.0.1	21	tcp	-	9.891089	34	71	SF	T	T	0	ShAdDaFf	13	718	10	599	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
index 27972a4fdf..197a55899b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	F	F	0	ShAdfFa	4	216	4	562	-	6
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	F	F	0	ShAdfFa	4	216	4	297	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
index 6b00d30ba1..8403f3951f 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49186	2001:470:4867:99::21	57086	tcp	ftp-data	0.219721	0	342	SF	F	F	0	ShAdfFa	5	372	4	642	-	6
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49187	2001:470:4867:99::21	57087	tcp	ftp-data	0.217501	0	43	SF	F	F	0	ShAdfFa	5	372	4	343	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/conn.log
index 3716f960a7..7ff5eb0de8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-command-length/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58634	127.0.0.1	21	tcp	ftp	0.213412	358	313	SF	T	T	0	ShAdDaFf	23	1562	17	1205	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-pending-commands/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-pending-commands/conn.log
index 68a358c839..6012132ea0 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-pending-commands/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-max-pending-commands/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	37950	127.0.0.1	21	tcp	ftp	0.202144	98	261	SF	T	T	0	ShADadfF	21	1198	20	1309	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/conn.log
index 674bd080d5..f40ec68452 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51344	127.0.0.1	21	tcp	-	10.862185	34	74	SF	T	T	0	ShAdDaFf	13	718	10	602	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/conn.log
index a0721febae..2468b9f09d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51346	127.0.0.1	21	tcp	-	11.705309	34	68	SF	T	T	0	ShAdDaFf	13	718	10	596	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command-hidden/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command-hidden/conn.log
index 5eda5bcf00..c897e6cdbb 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command-hidden/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command-hidden/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.10.132	46648	192.168.10.188	21	tcp	ftp	15.009303	25	134	SF	T	T	0	ShAdDaFf	7	325	8	466	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command/conn.log
index 5eda5bcf00..c897e6cdbb 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.10.132	46648	192.168.10.188	21	tcp	ftp	15.009303	25	134	SF	T	T	0	ShAdDaFf	7	325	8	466	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
index 7c39975872..8fee6546a7 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	tcp	ftp,ssl,gridftp	0.294743	4491	6659	SF	T	T	0	ShAdDaFf	22	5643	21	7759	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	tcp	gridftp-data,ssl	0.010760	2109	3196	S1	T	T	0	ShADad	7	2481	6	3516	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.concurrent-range-requests/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.concurrent-range-requests/conn.log
index 4d34e3593f..19f8a4d1e2 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.concurrent-range-requests/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.concurrent-range-requests/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.0.107	58716	88.198.248.254	80	tcp	http	0.125216	117	10290	SF	T	F	0	ShADadFf	9	593	7	10662	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.0.107	58718	88.198.248.254	80	tcp	http	0.173517	111	10284	SF	T	F	0	ShADadtFf	11	703	10	10812	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log
index 6cfac09c42..2ded9d823c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	52522	::1	80	tcp	ssl,http	0.691241	3644	55499	S1	T	T	0	ShAaDd	29	5744	29	57599	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
index 256f99131e..7f7b5dccce 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	79.26.245.236	3378	254.228.86.79	8240	tcp	smtp,http	6.722274	1685	223	SF	F	T	0	ShADadtTfF	14	2257	16	944	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-no-crlf/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-no-crlf/conn.log
index d9f2f1c707..29ae66ba8a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-no-crlf/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-no-crlf/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.1.6.206	49783	5.2.136.90	80	tcp	http	109.987365	36349	1483945	SF	T	F	0	ShADadfF	406	52601	1113	1528477	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
index bb9c9e9178..889c8ff874 100644
--- a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.17.53	49640	212.227.17.186	143	tcp	imap,ssl	2.827002	540	5653	SF	T	F	0	ShAdDafFr	18	1284	14	6225	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
index 4d577d3248..67730e3b29 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.1.77	57655	209.197.168.151	1024	tcp	irc-dcc-data	2.256935	124	42208	SF	T	F	0	ShAdDaFf	28	1592	43	44452	-	6
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	tcp	irc	178.237017	453	25404	S3	T	F	0	ShADdTtaf	63	3761	52	28194	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
index 45fdfbc94e..c01176757c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	203.143.168.47	55123	185.18.76.170	6667	tcp	irc,ssl	4.923144	913	1903	SF	F	F	0	ShADadFRf	11	1469	9	2379	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.krb-service-name/conn.log b/testing/btest/Baseline/scripts.base.protocols.krb.krb-service-name/conn.log
index 4ec4398e74..71362d47d6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.krb.krb-service-name/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.krb-service-name/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.202.110	43792	192.168.229.251	88	tcp	krb_tcp	0.010000	110	90	S1	T	T	0	^hADd	2	214	2	206	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.add/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.add/conn.log
index 97a661b912..07cd105fa8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.add/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.add/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	46160	127.0.1.1	389	tcp	ldap_tcp	3.537413	536	42	SF	0	ShADadFf	11	1116	6	362	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/conn.log
index 0e8a5f91a6..13f780b46b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/conn.log
index 0e8a5f91a6..13f780b46b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.basic/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/conn.log
index 6a42d3d545..1b97bea250 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	tcp	ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/conn.log
index 0e8a5f91a6..13f780b46b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/conn.log
index 9abe2de85f..668cfa865e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.31.1.104	3116	172.31.1.101	389	tcp	ldap_tcp	0.813275	1814	2391	S1	0	ShADd	6	2062	4	2559	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log
index e2eed5cdb7..ae49dbc08d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	60126	127.0.1.1	389	tcp	ldap_tcp	2.290081	289	1509	SF	0	ShADadFf	12	921	15	2297	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log
index 2314f6cb1c..e6d989c2d8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	59552	127.0.1.1	389	tcp	ldap_tcp	2.231680	353	1772	SF	0	ShADadFf	11	933	15	2560	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/conn.log
index 1fa734778f..b07f660078 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.10.138	63815	192.168.10.186	389	tcp	ldap_tcp	0.033404	3046	90400	RSTR	0	ShADdar	14	1733	68	93132	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/conn.log
index ecdb4117a5..ed1f3019d6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.199.2.121	59327	10.199.2.111	389	tcp	ldap_tcp	63.273503	3963	400107	OTH	0	Dd	12	2595	282	411387	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.199.2.121	59355	10.199.2.111	389	tcp	ldap_tcp	0.007979	2630	3327	OTH	0	Dd	6	990	6	3567	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-srp-who-am-i/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-srp-who-am-i/conn.log
index 787e2182c2..3b3e9c4e76 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-srp-who-am-i/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-srp-who-am-i/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	60648	127.0.1.1	389	tcp	ldap_tcp	2.114467	548	1020	SF	0	ShADadFf	9	1024	6	1340	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.spnego-ntlmssp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.spnego-ntlmssp/conn.log
index f80a8831b8..e46041a6ec 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.spnego-ntlmssp/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.spnego-ntlmssp/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.105	50041	192.168.1.108	389	tcp	ldap_tcp	0.004745	93	283	RSTR	0	ShADdFar	5	305	4	455	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.1.107	50041	192.168.1.108	389	tcp	ldap_tcp	0.005883	93	283	RSTR	0	ShADdFar	5	305	4	455	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/conn.log
index 7ea02208dc..7e366ece80 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	45936	127.0.1.1	389	tcp	ldap_tcp,ssl	0.016922	683	3002	RSTO	0	ShADadFR	14	1407	14	3738	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/conn.log
index a4687a7a4b..6c36d5fe8c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	48122	127.0.1.1	389	tcp	ldap_tcp	0.001192	83	59	SF	0	ShADadFf	8	507	5	327	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn-first.log b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn-first.log
index 229283a899..e389b02f71 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn-first.log
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn-first.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.57	2387	10.0.0.3	502	tcp	-	0.000493	0	0	SF	T	T	0	FafA	2	80	2	80	-	6
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	10.0.0.57	2579	10.0.0.8	502	tcp	modbus	23.256631	24	0	SF	T	T	0	ShADaFf	6	272	5	208	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn-second.log b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn-second.log
index 73c5996ed7..9a4b90ee04 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn-second.log
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn-second.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.2.42	54297	192.168.88.100	502	tcp	modbus	0.022532	11	18	OTH	T	T	0	Dd	1	51	1	58	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.2.42	54298	192.168.88.100	502	tcp	modbus	3.019519	11	9	OTH	T	T	0	Dd	1	51	1	49	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log
index df7c59f29a..2cdfde4795 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.9	3082	10.0.0.3	502	tcp	modbus	177.095534	72	69	SF	T	T	0	ShADdFaf	16	720	9	437	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	87.236.176.106	38129	192.168.10.111	502	tcp	dce_rpc	5.102604	72	9	SF	F	T	0	ShADadFf	6	392	4	225	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log
index 6f07ac4d90..c374cbb0a0 100644
--- a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	82.239.87.25	58132	79.107.90.25	3306	tcp	ssl,mysql	2.043921	724	3255	SF	F	F	0	ShAdDaFf	14	1460	11	3835	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log
index 4884572120..7059498553 100644
--- a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	82.239.87.25	57902	79.107.90.25	3306	tcp	ssl,mysql	6.756360	1076	3776	SF	F	F	0	ShAdDaFf	19	2072	14	4512	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log
index d7aadd8404..fbf6293848 100644
--- a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	59272	127.0.0.1	3306	tcp	ssl,mysql	0.021783	713	1959	SF	T	T	0	ShAdDaFf	10	1241	8	2383	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/conn.log
index 5049dbcea3..7d2b19270f 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.misordered-ntp/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.95	123	17.253.4.253	123	udp	ntp	0.959285	96	0	S0	T	F	0	D^	2	152	0	0	-	17
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/conn.log
index 5a12daf36b..ca2a114707 100644
--- a/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58854	127.0.0.1	110	tcp	-	0.151387	20	253	RSTO	T	T	0	ShAdDaFR	20	1056	16	1093	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.basic/conn.log
index d18c48d1cb..e649c78c15 100644
--- a/testing/btest/Baseline/scripts.base.protocols.pop3.basic/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.pop3.basic/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.0.4	26242	212.227.15.188	110	tcp	-	0.050692	0	0	REJ	T	F	0	Sr	1	52	1	40	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.0.4	26242	212.227.15.188	110	tcp	-	0.060847	0	0	REJ	T	F	0	Sr	1	52	1	40	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.redis/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.redis/conn.log
index 141cd8e084..dbffcb2c6f 100644
--- a/testing/btest/Baseline/scripts.base.protocols.pop3.redis/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.pop3.redis/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	59954	127.0.0.1	6379	tcp	-	0.002030	848	370	SF	T	T	0	ShADadfF	58	3872	58	3394	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log
index f15818772c..3fc69f6c3e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.4.149	54775	192.168.4.149	110	tcp	ssl,pop3	2.489002	851	2590	SF	T	T	0	ShAadDfFr	16	1695	17	3462	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp-handshake-fail/conn.log b/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp-handshake-fail/conn.log
index 70c6482274..b98eb1359d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp-handshake-fail/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp-handshake-fail/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.38.1	63568	192.168.38.102	3389	udp	-	6.226782	3696	0	S0	T	T	0	D	3	3780	0	0	-	17
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp-handshake-success/conn.log b/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp-handshake-success/conn.log
index 37b856143f..0e881d4e59 100644
--- a/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp-handshake-success/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp-handshake-success/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	::1	61291	::1	3389	udp	rdpeudp	0.122551	1738	2655	SF	T	T	0	Dd	5	1978	5	2895	-	17
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp2-handshake-success/conn.log b/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp2-handshake-success/conn.log
index 7f7c8097bc..1a9e034e03 100644
--- a/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp2-handshake-success/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.rdp.rdpeudp2-handshake-success/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.57.5	65368	192.168.57.8	3389	udp	rdpeudp	0.036087	2398	6585	SF	T	T	0	Dd	3	2482	7	6781	-	17
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
index 2fab7f17fc..5521c80862 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	tcp	ssh	6.159326	2669	2501	SF	T	F	0	ShAdDaFf	25	3981	20	3549	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	tcp	ssh	2.079071	3813	3633	SF	T	F	0	ShADadFf	22	4965	26	5017	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-client/conn.log b/testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-client/conn.log
index 89b7bc30b1..a12051726b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-client/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-client/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	tcp	-	3.435401	2493	0	S0	T	F	0	SAD	19	3493	0	0	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.1.79	51880	131.159.21.1	22	tcp	-	1.025500	176	0	SH	T	F	0	DAF	6	488	0	0	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-server/conn.log b/testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-server/conn.log
index b1e0abceff..d93b637e63 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-server/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-server/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	tcp	-	6.013825	0	2501	SHR	T	F	0	^hdaf	0	0	20	3549	-	6
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.2.1	57189	192.168.2.158	22	tcp	-	6.641675	0	3489	SHR	T	T	0	^hadf	0	0	29	5005	-	6
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
index a430e2a429..c0879be9b1 100644
--- a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	198.128.203.95	56048	146.255.57.229	5222	tcp	ssl,xmpp	2.213218	676	4678	SF	F	F	0	ShADadfFr	19	1676	15	5442	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
index 3746cdc4a5..58b44f2cc9 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
@@ -6197,16 +6197,16 @@ XXXXXXXXXX.XXXXXX raw_packet
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX Conn::log_conn
-                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp, proto=6], proto=tcp, service=smtp, duration=7.0 secs 576.0 msecs 952.934265 usecs, orig_bytes=14705, resp_bytes=538, conn_state=SF, local_orig=T, local_resp=F, missed_bytes=0, history=ShAdDaTFf, orig_pkts=28, orig_ip_bytes=21673, resp_pkts=25, resp_ip_bytes=1546, tunnel_parents=<uninitialized>, protocol_id=6]
+                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp, proto=6], proto=tcp, service=smtp, duration=7.0 secs 576.0 msecs 952.934265 usecs, orig_bytes=14705, resp_bytes=538, conn_state=SF, local_orig=T, local_resp=F, missed_bytes=0, history=ShAdDaTFf, orig_pkts=28, orig_ip_bytes=21673, resp_pkts=25, resp_ip_bytes=1546, tunnel_parents=<uninitialized>, ip_proto=6]
 
 XXXXXXXXXX.XXXXXX Conn::log_conn
-                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp, proto=17], proto=udp, service=<uninitialized>, duration=34.0 msecs 24.953842 usecs, orig_bytes=34, resp_bytes=100, conn_state=SF, local_orig=T, local_resp=T, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=62, resp_pkts=1, resp_ip_bytes=128, tunnel_parents=<uninitialized>, protocol_id=17]
+                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp, proto=17], proto=udp, service=<uninitialized>, duration=34.0 msecs 24.953842 usecs, orig_bytes=34, resp_bytes=100, conn_state=SF, local_orig=T, local_resp=T, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=62, resp_pkts=1, resp_ip_bytes=128, tunnel_parents=<uninitialized>, ip_proto=17]
 
 XXXXXXXXXX.XXXXXX Conn::log_conn
-                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=C4J4Th3PJpwUYZZ6gc, id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp, proto=1], proto=icmp, service=<uninitialized>, duration=1.0 msec 518.964767 usecs, orig_bytes=2192, resp_bytes=0, conn_state=OTH, local_orig=T, local_resp=T, missed_bytes=0, history=<uninitialized>, orig_pkts=4, orig_ip_bytes=2304, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>, protocol_id=1]
+                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=C4J4Th3PJpwUYZZ6gc, id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp, proto=1], proto=icmp, service=<uninitialized>, duration=1.0 msec 518.964767 usecs, orig_bytes=2192, resp_bytes=0, conn_state=OTH, local_orig=T, local_resp=T, missed_bytes=0, history=<uninitialized>, orig_pkts=4, orig_ip_bytes=2304, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>, ip_proto=1]
 
 XXXXXXXXXX.XXXXXX Conn::log_conn
-                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=CtPZjS20MLrsMUOJi2, id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp, proto=17], proto=udp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=T, local_resp=T, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=229, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>, protocol_id=17]
+                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=CtPZjS20MLrsMUOJi2, id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp, proto=17], proto=udp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=T, local_resp=T, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=229, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>, ip_proto=17]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
@@ -8979,19 +8979,19 @@ XXXXXXXXXX.XXXXXX connection_state_remove
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX Conn::log_conn
-                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp, proto=6], proto=tcp, service=<uninitialized>, duration=756.0 msecs 701.946259 usecs, orig_bytes=2249, resp_bytes=3653, conn_state=S1, local_orig=T, local_resp=F, missed_bytes=0, history=ShADda, orig_pkts=15, orig_ip_bytes=2873, resp_pkts=13, resp_ip_bytes=4185, tunnel_parents=<uninitialized>, protocol_id=6]
+                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp, proto=6], proto=tcp, service=<uninitialized>, duration=756.0 msecs 701.946259 usecs, orig_bytes=2249, resp_bytes=3653, conn_state=S1, local_orig=T, local_resp=F, missed_bytes=0, history=ShADda, orig_pkts=15, orig_ip_bytes=2873, resp_pkts=13, resp_ip_bytes=4185, tunnel_parents=<uninitialized>, ip_proto=6]
 
 XXXXXXXXXX.XXXXXX Conn::log_conn
-                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=C37jN32gN3y3AZzyf6, id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp, proto=6], proto=tcp, service=<uninitialized>, duration=147.0 msecs 503.137589 usecs, orig_bytes=714, resp_bytes=0, conn_state=OTH, local_orig=T, local_resp=F, missed_bytes=0, history=Da, orig_pkts=1, orig_ip_bytes=766, resp_pkts=1, resp_ip_bytes=52, tunnel_parents=<uninitialized>, protocol_id=6]
+                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=C37jN32gN3y3AZzyf6, id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp, proto=6], proto=tcp, service=<uninitialized>, duration=147.0 msecs 503.137589 usecs, orig_bytes=714, resp_bytes=0, conn_state=OTH, local_orig=T, local_resp=F, missed_bytes=0, history=Da, orig_pkts=1, orig_ip_bytes=766, resp_pkts=1, resp_ip_bytes=52, tunnel_parents=<uninitialized>, ip_proto=6]
 
 XXXXXXXXXX.XXXXXX Conn::log_conn
-                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=CUM0KZ3MLUfNB0cl11, id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp, proto=6], proto=tcp, service=<uninitialized>, duration=343.0 msecs 8.041382 usecs, orig_bytes=41, resp_bytes=0, conn_state=OTH, local_orig=T, local_resp=F, missed_bytes=0, history=Da, orig_pkts=1, orig_ip_bytes=93, resp_pkts=1, resp_ip_bytes=52, tunnel_parents=<uninitialized>, protocol_id=6]
+                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=CUM0KZ3MLUfNB0cl11, id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp, proto=6], proto=tcp, service=<uninitialized>, duration=343.0 msecs 8.041382 usecs, orig_bytes=41, resp_bytes=0, conn_state=OTH, local_orig=T, local_resp=F, missed_bytes=0, history=Da, orig_pkts=1, orig_ip_bytes=93, resp_pkts=1, resp_ip_bytes=52, tunnel_parents=<uninitialized>, ip_proto=6]
 
 XXXXXXXXXX.XXXXXX Conn::log_conn
-                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=CP5puj4I8PtEU4qzYg, id=[orig_h=74.125.71.189, orig_p=443/tcp, resp_h=192.168.133.100, resp_p=49336/tcp, proto=6], proto=tcp, service=<uninitialized>, duration=221.014023 usecs, orig_bytes=85, resp_bytes=0, conn_state=OTH, local_orig=F, local_resp=T, missed_bytes=0, history=DTa, orig_pkts=3, orig_ip_bytes=411, resp_pkts=3, resp_ip_bytes=156, tunnel_parents=<uninitialized>, protocol_id=6]
+                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=CP5puj4I8PtEU4qzYg, id=[orig_h=74.125.71.189, orig_p=443/tcp, resp_h=192.168.133.100, resp_p=49336/tcp, proto=6], proto=tcp, service=<uninitialized>, duration=221.014023 usecs, orig_bytes=85, resp_bytes=0, conn_state=OTH, local_orig=F, local_resp=T, missed_bytes=0, history=DTa, orig_pkts=3, orig_ip_bytes=411, resp_pkts=3, resp_ip_bytes=156, tunnel_parents=<uninitialized>, ip_proto=6]
 
 XXXXXXXXXX.XXXXXX Conn::log_conn
-                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp, proto=6], proto=tcp, service=smtp, duration=57.0 msecs 320.11795 usecs, orig_bytes=969, resp_bytes=162, conn_state=S1, local_orig=T, local_resp=T, missed_bytes=0, history=ShAdDa, orig_pkts=17, orig_ip_bytes=1865, resp_pkts=10, resp_ip_bytes=690, tunnel_parents=<uninitialized>, protocol_id=6]
+                  [0] rec: Conn::Info    = [ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp, proto=6], proto=tcp, service=smtp, duration=57.0 msecs 320.11795 usecs, orig_bytes=969, resp_bytes=162, conn_state=S1, local_orig=T, local_resp=T, missed_bytes=0, history=ShAdDa, orig_pkts=17, orig_ip_bytes=1865, resp_pkts=10, resp_ip_bytes=690, tunnel_parents=<uninitialized>, ip_proto=6]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX zeek_done
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
index fb37fbe6c4..6b6ea051dc 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id	orig_l2_addr	resp_l2_addr
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count	string	string
 XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	F	F	0	H	1	48	0	0	-	6	00:13:7f:be:8c:ff	00:e0:db:01:cf:4b
 XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	F	F	0	Dd	1	66	1	117	-	17	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
index 12f600857d..3a70d33599 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id	orig_l2_addr	resp_l2_addr
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count	string	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	-	0.041654	35	128	SF	T	F	0	Dd	1	63	1	156	-	17	90:72:40:97:b6:f5	44:2b:03:aa:ab:8d
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	-	-	-	-	S0	T	F	0	D	1	328	0	0	-	17	a4:67:06:f7:ec:54	33:33:00:00:00:fb
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
index b95aec51e2..357b3e85df 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id	orig_l2_addr	resp_l2_addr
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count	string	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	OTH	F	F	0	R	1	40	0	0	-	6	-	-
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	OTH	F	F	0	R	1	40	0	0	-	6	-	-
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.speculative-service/conn-post-large.log b/testing/btest/Baseline/scripts.policy.protocols.conn.speculative-service/conn-post-large.log
index dcbb483540..d80f937955 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.speculative-service/conn-post-large.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.speculative-service/conn-post-large.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id	speculative_service
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto	speculative_service
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	37526	127.0.0.1	80	tcp	http	0.008395	61907	60478	SF	T	T	0	ShADadfF	10	62435	9	60954	-	6	http
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	60644	127.0.0.1	5000	tcp	http	0.015853	61917	60478	SF	T	T	0	ShADadfF	10	62445	9	60954	-	6	http
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.speculative-service/conn-wiki.log b/testing/btest/Baseline/scripts.policy.protocols.conn.speculative-service/conn-wiki.log
index cd8517a19f..50a3ce8ae8 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.speculative-service/conn-wiki.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.speculative-service/conn-wiki.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id	speculative_service
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto	speculative_service
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	F	F	0	D	1	73	0	0	-	17	-
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	T	F	0	D	1	199	0	0	-	17	-
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log b/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log
index 0bda37311f..a725d363b6 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id	vlan	inner_vlan
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto	vlan	inner_vlan
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count	int	int
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	T	T	0	D	2	92	0	0	-	17	13	10
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	F	F	0	D	2	608	0	0	-	17	13	10
diff --git a/testing/btest/Baseline/signatures.eval-condition/conn.log b/testing/btest/Baseline/signatures.eval-condition/conn.log
index 6be3fcf7c9..fbf70d23b7 100644
--- a/testing/btest/Baseline/signatures.eval-condition/conn.log
+++ b/testing/btest/Baseline/signatures.eval-condition/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	F	F	0	ShAdfFa	4	216	4	562	-	6
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	F	F	0	ShAdfFa	4	216	4	297	-	6
diff --git a/testing/btest/Baseline/spicy.replaces/conn.log b/testing/btest/Baseline/spicy.replaces/conn.log
index 72b7e2f65d..981e018e32 100644
--- a/testing/btest/Baseline/spicy.replaces/conn.log
+++ b/testing/btest/Baseline/spicy.replaces/conn.log
@@ -5,7 +5,7 @@
 #unset_field	-
 #path	conn
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	protocol_id
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.16.238.1	49656	172.16.238.131	80	tcp	ssh	9.953807	2405	2887	SF	T	T	0	ShAdDaFf	40	4497	30	4455	-	6
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/basic.zeek b/testing/btest/scripts/base/frameworks/input/sqlite/basic.zeek
index fc1957b3b9..e1c4b54d74 100644
--- a/testing/btest/scripts/base/frameworks/input/sqlite/basic.zeek
+++ b/testing/btest/scripts/base/frameworks/input/sqlite/basic.zeek
@@ -34,7 +34,7 @@ CREATE TABLE conn (
 'resp_pkts' integer,
 'resp_ip_bytes' integer,
 'tunnel_parents' text,
-'protocol_id' integer
+'ip_proto' integer
 );
 INSERT INTO "conn" VALUES(1.30047516709653496744e+09,'dnGM1AdIVyh','141.142.220.202',5353,'224.0.0.251',5353,17,'udp','dns',NULL,NULL,NULL,'S0',NULL,NULL,0,'D',1,73,0,0,'(empty)',17);
 INSERT INTO "conn" VALUES(1.30047516709701204296e+09,'fv9q7WjEgp1','fe80::217:f2ff:fed7:cf65',5353,'ff02::fb',5353,17,'udp',NULL,NULL,NULL,NULL,'S0',NULL,NULL,0,'D',1,199,0,0,'(empty)',17);
diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing
index 70a6e5e239..4375673021 100644
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@@ -1 +1 @@
-f85ad5a1e6b3e4787195f39ba042e33f6c91ec0b
+c36d3945546457e5791316ce34947147ba1b0342
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index 49ea79e514..927076b5b4 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-827fa8dd1fb7ea548d3329e2833f5defd5c7c8e0
+ef56ba5182491ec888eebaa8d4984951fdb40466