Merge branch 'master' into topic/vern/lambda-copy-semantics

2025-10-02 14:48:21 +00:00 · 2021-01-11 11:48:45 -08:00 · 2021-01-11 11:48:45 -08:00 · 614fade0a4
commit 614fade0a4
parent 35421b07f1 321a027d07
68 changed files with 21745 additions and 252 deletions
--- a/24
+++ b/24
@ -1,3 +1,27 @@
 4.1.0-dev.52 | 2021-01-11 11:11:13 -0800
  * Remove unusable/broken RocksDB code and options (Jon Siwek, Corelight)
    The Broker RockSDB data store backend was previously unusable
    and broken, so all code and options related to it are now removed.
 4.1.0-dev.51 | 2021-01-07 17:02:28 -0800
  * Virtualize Obj::GetLocationInfo() (Vern Paxson, Corelight)
    Cleaner approach for localizing errors associated with duplicated ASTs.
  * Add support for inlining of Zeek script functions (Vern Paxson, Corelight)
  * Add support for duplicating Zeek ASTS (Vern Paxson, Corelight)
  * Update COPYING to 2021 (Johanna Amann, Corelight)
 4.1.0-dev.27 | 2021-01-06 20:42:35 -0800
  * GH-1347: Update cmake module to fix ZeekPluginDynamic's find_package(CAF) (Jon Siwek, Corelight)
 4.1.0-dev.25 | 2020-12-28 15:37:20 -0700
  * Add LGTM config file (Jon Siwek, Corelight)
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Copyright (c) 1995-2018, The Regents of the University of California
+Copyright (c) 1995-2021, The Regents of the University of California
 through the Lawrence Berkeley National Laboratory and the
 International Computer Science Institute. All rights reserved.
--- a/3
+++ b/3
@ -15,6 +15,9 @@ Changed Functionality
 Removed Functionality
 ---------------------
 - Support for the RocksDB Broker data store was previously broken and unusable,
  so all code/options related to it are now removed.
 Deprecated Functionality
 ------------------------
--- a/2
+++ b/2
@ -1 +1 @@
-4.1.0-dev.25
+4.1.0-dev.52
--- a/auxil/bifcl
+++ b/auxil/bifcl
@ -1 +1 @@
-Subproject commit 00f69a62ae6e755d9655208e601a3a4c29ff8b5a
+Subproject commit 624e5525f54d4a15c35687d42301045f1769d3e1
--- a/auxil/binpac
+++ b/auxil/binpac
@ -1 +1 @@
-Subproject commit 0622e88cef0e4cf9e0843af2a78a039a99ae8744
+Subproject commit c33447a02166dc8e2f436b6c0411891431a04d13
--- a/auxil/broker
+++ b/auxil/broker
@ -1 +1 @@
-Subproject commit ec0c30e767fc0cbf943384766fd26c37871e8626
+Subproject commit e82cb55903a1991ac75542f0d8a2fd57d46133b2
--- a/auxil/package-manager
+++ b/auxil/package-manager
@ -1 +1 @@
-Subproject commit 5b85a7620ed28ac2c4c96e43621d1e10b39e5ae3
+Subproject commit b820f9d73221882a5f9932849ff8c15a58ea5bde
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@ -1 +1 @@
-Subproject commit 7f44a91c409dec11da94945343888801d99bc856
+Subproject commit b2ce33bc3e4f57a72cd7bb7db2e3c7dc62e7a202
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@ -1 +1 @@
-Subproject commit 132d91817d60d872af094eda55757e3f58716541
+Subproject commit e2cee1d50a66a11391fefe896b2f18e64849009e
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 2be57664680c23dc3b3b140f45c7bc5ab61256b1
+Subproject commit 74259745dea5ee4889d1ac1f4ebde4e2c59c329a
--- a/scripts/base/frameworks/broker/store.zeek
+++ b/scripts/base/frameworks/broker/store.zeek
@ -55,7 +55,6 @@ export {
 	type BackendType: enum {
 		MEMORY,
 		SQLITE,
 		ROCKSDB,
 	};
 	## Options to tune the SQLite storage backend.
@ -66,18 +65,9 @@ export {
 		path: string &default = "";
 	};
 	## Options to tune the RocksDB storage backend.
 	type RocksDBOptions: record {
 		## File system path of the database.
 		## If left empty, will be derived from the name of the store,
 		## and use the '.rocksdb' file suffix.
 		path: string &default = "";
 	};
 	## Options to tune the particular storage backends.
 	type BackendOptions: record {
 		sqlite: SQLiteOptions &default = SQLiteOptions();
 		rocksdb: RocksDBOptions &default = RocksDBOptions();
 	};
 	## Create a master data store which contains key-value pairs.
--- a/scripts/base/frameworks/cluster/main.zeek
+++ b/scripts/base/frameworks/cluster/main.zeek
@ -393,9 +393,6 @@ function create_store(name: string, persistent: bool &default=F): Cluster::Store
 		if ( info$options$sqlite$path == default_options$sqlite$path )
 			info$options$sqlite$path = path + ".sqlite";
 		if ( info$options$rocksdb$path == default_options$rocksdb$path )
 			info$options$rocksdb$path = path + ".rocksdb";
 		}
 	if ( persistent )
@ -405,8 +402,6 @@ function create_store(name: string, persistent: bool &default=F): Cluster::Store
 			info$backend = Cluster::default_persistent_backend;
 			break;
 		case Broker::SQLITE:
 			fallthrough;
 		case Broker::ROCKSDB:
 			# no-op: user already asked for a specific persistent backend.
 			break;
 		default:
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -322,6 +322,12 @@ set(MAIN_SRCS
    plugin/Manager.cc
    plugin/Plugin.cc
    script_opt/Expr.cc
    script_opt/Inline.cc
    script_opt/ProfileFunc.cc
    script_opt/ScriptOpt.cc
    script_opt/Stmt.cc
    nb_dns.c
    digest.h
 )
--- a/src/Expr.cc
+++ b/src/Expr.cc
@ -39,7 +39,10 @@ const char* expr_name(BroExprTag t)
 		"$=", "in", "<<>>",
 		"()", "function()", "event", "schedule",
 		"coerce", "record_coerce", "table_coerce", "vector_coerce",
-		"sizeof", "cast", "is", "[:]="
+		"sizeof", "cast", "is", "[:]=",
 		"inline()",
 		"nop",
 	};
 	if ( int(t) >= NUM_EXPRS )
@ -74,6 +77,12 @@ ListExpr* Expr::AsListExpr()
 	return (ListExpr*) this;
 	}
 ListExprPtr Expr::AsListExprPtr()
 	{
 	CHECK_TAG(tag, EXPR_LIST, "ExprVal::AsListExpr", expr_name)
 	return {NewRef{}, (ListExpr*) this};
 	}
 const NameExpr* Expr::AsNameExpr() const
 	{
 	CHECK_TAG(tag, EXPR_NAME, "ExprVal::AsNameExpr", expr_name)
@ -86,6 +95,18 @@ NameExpr* Expr::AsNameExpr()
 	return (NameExpr*) this;
 	}
 const ConstExpr* Expr::AsConstExpr() const
 	{
 	CHECK_TAG(tag, EXPR_CONST, "ExprVal::AsConstExpr", expr_name)
 	return (const ConstExpr*) this;
 	}
 const CallExpr* Expr::AsCallExpr() const
 	{
 	CHECK_TAG(tag, EXPR_CALL, "ExprVal::AsCallExpr", expr_name)
 	return (const CallExpr*) this;
 	}
 const AssignExpr* Expr::AsAssignExpr() const
 	{
 	CHECK_TAG(tag, EXPR_ASSIGN, "ExprVal::AsAssignExpr", expr_name)
@ -110,6 +131,18 @@ IndexExpr* Expr::AsIndexExpr()
 	return (IndexExpr*) this;
 	}
 const EventExpr* Expr::AsEventExpr() const
 	{
 	CHECK_TAG(tag, EXPR_EVENT, "ExprVal::AsEventExpr", expr_name)
 	return (const EventExpr*) this;
 	}
 EventExprPtr Expr::AsEventExprPtr()
 	{
 	CHECK_TAG(tag, EXPR_EVENT, "ExprVal::AsEventExpr", expr_name)
 	return {NewRef{}, (EventExpr*) this};
 	}
 bool Expr::CanAdd() const
 	{
 	return false;
@ -258,7 +291,8 @@ void Expr::RuntimeErrorWithCallStack(const std::string& msg) const
 		ODesc d;
 		d.SetShort();
 		Describe(&d);
-		reporter->RuntimeError(GetLocationInfo(), "%s, expression: %s, call stack: %s",
+		reporter->RuntimeError(GetLocationInfo(),
 					"%s, expression: %s, call stack: %s",
 					msg.data(), d.Description(), rcs.data());
 		}
 	}
@ -935,6 +969,17 @@ void BinaryExpr::PromoteType(TypeTag t, bool is_vector)
 		SetType(base_type(t));
 	}
 void BinaryExpr::PromoteForInterval(ExprPtr& op)
 	{
 	if ( is_vector(op1) || is_vector(op2) )
 		SetType(make_intrusive<VectorType>(base_type(TYPE_INTERVAL)));
 	else
 		SetType(base_type(TYPE_INTERVAL));
 	if ( op->GetType()->Tag() != TYPE_DOUBLE )
 		op = make_intrusive<ArithCoerceExpr>(op, TYPE_DOUBLE);
 	}
 CloneExpr::CloneExpr(ExprPtr arg_op)
 	: UnaryExpr(EXPR_CLONE, std::move(arg_op))
 	{
@ -1417,12 +1462,7 @@ TimesExpr::TimesExpr(ExprPtr arg_op1, ExprPtr arg_op2)
 	if ( bt1 == TYPE_INTERVAL || bt2 == TYPE_INTERVAL )
 		{
 		if ( IsArithmetic(bt1) || IsArithmetic(bt2) )
-			{
+			PromoteForInterval(IsArithmetic(bt1) ? op1 : op2);
 			if ( is_vector(op1) && is_vector(op2) )
 				SetType(make_intrusive<VectorType>(base_type(TYPE_INTERVAL)));
 			else
 				PromoteType(TYPE_INTERVAL, is_vector(op1) || is_vector(op2) );
 			}
 		else
 			ExprError("multiplication with interval requires arithmetic operand");
 		}
@ -1458,12 +1498,7 @@ DivideExpr::DivideExpr(ExprPtr arg_op1, ExprPtr arg_op2)
 	if ( bt1 == TYPE_INTERVAL || bt2 == TYPE_INTERVAL )
 		{
 		if ( IsArithmetic(bt1) || IsArithmetic(bt2) )
-			{
+			PromoteForInterval(IsArithmetic(bt1) ? op1 : op2);
 			if ( is_vector(op1) && is_vector(op2) )
 				SetType(make_intrusive<VectorType>(base_type(TYPE_INTERVAL)));
 			else
 				PromoteType(TYPE_INTERVAL, is_vector(op1) || is_vector(op2));
 			}
 		else if ( bt1 == TYPE_INTERVAL && bt2 == TYPE_INTERVAL )
 			{
 			if ( is_vector(op1) || is_vector(op2) )
@ -3187,7 +3222,8 @@ TraversalCode RecordConstructorExpr::Traverse(TraversalCallback* cb) const
 TableConstructorExpr::TableConstructorExpr(ListExprPtr constructor_list,
                                           std::unique_ptr<std::vector<AttrPtr>> arg_attrs,
-                                           TypePtr arg_type)
+                                           TypePtr arg_type,
                                           AttributesPtr arg_attrs2)
 	: UnaryExpr(EXPR_TABLE_CONSTRUCTOR, std::move(constructor_list))
 	{
 	if ( IsError() )
@ -3223,6 +3259,8 @@ TableConstructorExpr::TableConstructorExpr(ListExprPtr constructor_list,
 	if ( arg_attrs )
 		attrs = make_intrusive<Attributes>(std::move(*arg_attrs), type, false, false);
 	else
 		attrs = arg_attrs2;
 	const auto& indices = type->AsTableType()->GetIndices()->GetTypes();
 	const ExprPList& cle = op->AsListExpr()->Exprs();
@ -3322,7 +3360,8 @@ void TableConstructorExpr::ExprDescribe(ODesc* d) const
 SetConstructorExpr::SetConstructorExpr(ListExprPtr constructor_list,
                                       std::unique_ptr<std::vector<AttrPtr>> arg_attrs,
-                                       TypePtr arg_type)
+                                       TypePtr arg_type,
                                       AttributesPtr arg_attrs2)
 	: UnaryExpr(EXPR_SET_CONSTRUCTOR, std::move(constructor_list))
 	{
 	if ( IsError() )
@ -3355,6 +3394,8 @@ SetConstructorExpr::SetConstructorExpr(ListExprPtr constructor_list,
 	if ( arg_attrs )
 		attrs = make_intrusive<Attributes>(std::move(*arg_attrs), type, false, false);
 	else
 		attrs = arg_attrs2;
 	const auto& indices = type->AsTableType()->GetIndices()->GetTypes();
 	ExprPList& cle = op->AsListExpr()->Exprs();
--- a/src/Expr.h
+++ b/src/Expr.h
@ -10,6 +10,7 @@
 #include "zeek/ZeekList.h"
 #include "zeek/IntrusivePtr.h"
 #include "zeek/StmtBase.h"
 #include "zeek/Timer.h"
 #include "zeek/Type.h"
 #include "zeek/EventHandler.h"
@ -66,13 +67,17 @@ enum BroExprTag : int {
 	EXPR_CAST,
 	EXPR_IS,
 	EXPR_INDEX_SLICE_ASSIGN,
-#define NUM_EXPRS (int(EXPR_INDEX_SLICE_ASSIGN) + 1)
+	EXPR_INLINE,
 	EXPR_NOP,
 #define NUM_EXPRS (int(EXPR_NOP) + 1)
 };
 extern const char* expr_name(BroExprTag t);
 class ListExpr;
 class NameExpr;
 class ConstExpr;
 class IndexExpr;
 class AssignExpr;
 class CallExpr;
@ -82,7 +87,7 @@ class Stmt;
 class Expr;
 using ExprPtr = IntrusivePtr<Expr>;
 using EventExprPtr = IntrusivePtr<EventExpr>;
-using ListExprPtr = IntrusivePtr<ListExpr>;
+using StmtPtr = IntrusivePtr<Stmt>;
 class Expr : public Obj {
 public:
@ -99,6 +104,7 @@ public:
 	BroExprTag Tag() const	{ return tag; }
 	Expr* Ref()			{ zeek::Ref(this); return this; }
 	ExprPtr ThisPtr()		{ return {NewRef{}, this}; }
 	// Evaluates the expression and returns a corresponding Val*,
 	// or nil if the expression's value isn't fixed.
@ -171,22 +177,65 @@ public:
 	void MarkParen()		{ paren = true; }
 	bool IsParen() const		{ return paren; }
-	const ListExpr* AsListExpr() const;
+#define ZEEK_EXPR_ACCESSOR_DECLS(ctype) \
-	ListExpr* AsListExpr();
+	const ctype* As ## ctype () const; \
 	ctype* As ## ctype (); \
 	IntrusivePtr<ctype> As ## ctype ## Ptr ();
-	const NameExpr* AsNameExpr() const;
+	ZEEK_EXPR_ACCESSOR_DECLS(ListExpr)
-	NameExpr* AsNameExpr();
+	ZEEK_EXPR_ACCESSOR_DECLS(NameExpr)
-
+	ZEEK_EXPR_ACCESSOR_DECLS(ConstExpr)
-	const AssignExpr* AsAssignExpr() const;
+	ZEEK_EXPR_ACCESSOR_DECLS(CallExpr)
-	AssignExpr* AsAssignExpr();
+	ZEEK_EXPR_ACCESSOR_DECLS(AssignExpr)
-
+	ZEEK_EXPR_ACCESSOR_DECLS(IndexExpr)
-	const IndexExpr* AsIndexExpr() const;
+	ZEEK_EXPR_ACCESSOR_DECLS(EventExpr)
 	IndexExpr* AsIndexExpr();
 	void Describe(ODesc* d) const override final;
 	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
 	// Returns a duplicate of the expression.
 	virtual ExprPtr Duplicate() = 0;
 	// Recursively traverses the AST to inline eligible function calls.
 	virtual ExprPtr Inline(Inliner* inl)	{ return ThisPtr(); }
 	// Access to the original expression from which this one is derived,
 	// or this one if we don't have an original.  Returns a bare pointer
 	// rather than an ExprPtr to emphasize that the access is read-only.
 	const Expr* Original() const
 		{ return original ? original->Original() : this; }
 	// Designate the given Expr node as the original for this one.
 	void SetOriginal(ExprPtr _orig)
 		{
 		if ( ! original )
 			original = std::move(_orig);
 		}
 	// A convenience function for taking a newly-created Expr,
 	// making it point to us as the successor, and returning it.
 	//
 	// Takes an Expr* rather than a ExprPtr to de-clutter the calling
 	// code, which is always passing in "new XyzExpr(...)".  This
 	// call, as a convenient side effect, transforms that bare pointer
 	// into an ExprPtr.
 	virtual ExprPtr SetSucc(Expr* succ)
 		{
 		succ->SetOriginal(ThisPtr());
 		if ( IsParen() )
 			succ->MarkParen();
 		return {AdoptRef{}, succ};
 		}
 	const detail::Location* GetLocationInfo() const override
 		{
 		if ( original )
 			return original->GetLocationInfo();
 		else
 			return Obj::GetLocationInfo();
 		}
 protected:
 	Expr() = default;
 	explicit Expr(BroExprTag arg_tag);
@ -211,6 +260,11 @@ protected:
 	BroExprTag tag;
 	TypePtr type;
 	bool paren;
 	// The original expression from which this statement was
 	// derived, if any.  Used as an aid for generating meaningful
 	// and correctly-localized error messages.
 	ExprPtr original = nullptr;
 };
 class NameExpr final : public Expr {
@ -226,6 +280,9 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	void ExprDescribe(ODesc* d) const override;
@ -238,11 +295,15 @@ public:
 	explicit ConstExpr(ValPtr val);
 	Val* Value() const	{ return val.get(); }
 	ValPtr ValuePtr() const	{ return val; }
 	ValPtr Eval(Frame* f) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	void ExprDescribe(ODesc* d) const override;
 	ValPtr val;
@ -261,6 +322,9 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	ExprPtr Inline(Inliner* inl) override;
 protected:
 	UnaryExpr(BroExprTag arg_tag, ExprPtr arg_op);
@ -286,6 +350,9 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	ExprPtr Inline(Inliner* inl) override;
 protected:
 	BinaryExpr(BroExprTag arg_tag,
 	           ExprPtr arg_op1, ExprPtr arg_op2)
@ -325,6 +392,11 @@ protected:
 	// operands and also set expression's type).
 	void PromoteType(TypeTag t, bool is_vector);
 	// Promote one of the operands to be "double" (if not already),
 	// to make it suitable for combining with the other "interval"
 	// operand, yielding an "interval" type.
 	void PromoteForInterval(ExprPtr& op);
 	void ExprDescribe(ODesc* d) const override;
 	ExprPtr op1;
@ -336,6 +408,9 @@ public:
 	explicit CloneExpr(ExprPtr op);
 	ValPtr Eval(Frame* f) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@ -347,12 +422,18 @@ public:
 	ValPtr Eval(Frame* f) const override;
 	ValPtr DoSingleEval(Frame* f, Val* v) const;
 	bool IsPure() const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class ComplementExpr final : public UnaryExpr {
 public:
 	explicit ComplementExpr(ExprPtr op);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@ -361,6 +442,9 @@ class NotExpr final : public UnaryExpr {
 public:
 	explicit NotExpr(ExprPtr op);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@ -369,6 +453,9 @@ class PosExpr final : public UnaryExpr {
 public:
 	explicit PosExpr(ExprPtr op);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@ -377,6 +464,9 @@ class NegExpr final : public UnaryExpr {
 public:
 	explicit NegExpr(ExprPtr op);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@ -386,6 +476,9 @@ public:
 	explicit SizeExpr(ExprPtr op);
 	ValPtr Eval(Frame* f) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@ -394,35 +487,53 @@ class AddExpr final : public BinaryExpr {
 public:
 	AddExpr(ExprPtr op1, ExprPtr op2);
 	void Canonicize() override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class AddToExpr final : public BinaryExpr {
 public:
 	AddToExpr(ExprPtr op1, ExprPtr op2);
 	ValPtr Eval(Frame* f) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class RemoveFromExpr final : public BinaryExpr {
 public:
 	RemoveFromExpr(ExprPtr op1, ExprPtr op2);
 	ValPtr Eval(Frame* f) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class SubExpr final : public BinaryExpr {
 public:
 	SubExpr(ExprPtr op1, ExprPtr op2);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class TimesExpr final : public BinaryExpr {
 public:
 	TimesExpr(ExprPtr op1, ExprPtr op2);
 	void Canonicize() override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class DivideExpr final : public BinaryExpr {
 public:
 	DivideExpr(ExprPtr op1, ExprPtr op2);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr AddrFold(Val* v1, Val* v2) const override;
 };
@ -430,6 +541,9 @@ protected:
 class ModExpr final : public BinaryExpr {
 public:
 	ModExpr(ExprPtr op1, ExprPtr op2);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class BoolExpr final : public BinaryExpr {
@ -438,11 +552,17 @@ public:
 	ValPtr Eval(Frame* f) const override;
 	ValPtr DoSingleEval(Frame* f, ValPtr v1, Expr* op2) const;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class BitExpr final : public BinaryExpr {
 public:
 	BitExpr(BroExprTag tag, ExprPtr op1, ExprPtr op2);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class EqExpr final : public BinaryExpr {
@ -450,6 +570,9 @@ public:
 	EqExpr(BroExprTag tag, ExprPtr op1, ExprPtr op2);
 	void Canonicize() override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v1, Val* v2) const override;
 };
@ -458,6 +581,9 @@ class RelExpr final : public BinaryExpr {
 public:
 	RelExpr(BroExprTag tag, ExprPtr op1, ExprPtr op2);
 	void Canonicize() override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class CondExpr final : public Expr {
@ -473,6 +599,10 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 	ExprPtr Inline(Inliner* inl) override;
 protected:
 	void ExprDescribe(ODesc* d) const override;
@ -487,6 +617,9 @@ public:
 	void Assign(Frame* f, ValPtr v) override;
 	ExprPtr MakeLvalue() override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class AssignExpr : public BinaryExpr {
@ -509,6 +642,9 @@ public:
 		op2 = std::move(e);
 		}
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	bool TypeCheck(const AttributesPtr& attrs = nullptr);
 	bool TypeCheckArithmetics(TypeTag bt1, TypeTag bt2);
@ -522,6 +658,9 @@ public:
 	IndexSliceAssignExpr(ExprPtr op1,
 	                     ExprPtr op2, bool is_init);
 	ValPtr Eval(Frame* f) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class IndexExpr : public BinaryExpr {
@ -546,6 +685,9 @@ public:
 	bool IsSlice() const { return is_slice; }
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v1, Val* v2) const override;
@ -585,6 +727,9 @@ public:
 		return v;
 		}
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 };
 class FieldExpr final : public UnaryExpr {
@ -602,6 +747,9 @@ public:
 	ExprPtr MakeLvalue() override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
@ -621,6 +769,9 @@ public:
 	const char* FieldName() const	{ return field_name; }
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
@ -643,6 +794,9 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
@ -655,7 +809,8 @@ class TableConstructorExpr final : public UnaryExpr {
 public:
 	TableConstructorExpr(ListExprPtr constructor_list,
 	                     std::unique_ptr<std::vector<AttrPtr>> attrs,
-	                     TypePtr arg_type = nullptr);
+	                     TypePtr arg_type = nullptr,
 	                     AttributesPtr arg_attrs = nullptr);
 	[[deprecated("Remove in v4.1.  Use GetAttrs().")]]
 	Attributes* Attrs() { return attrs.get(); }
@ -665,6 +820,9 @@ public:
 	ValPtr Eval(Frame* f) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
@ -677,7 +835,8 @@ class SetConstructorExpr final : public UnaryExpr {
 public:
 	SetConstructorExpr(ListExprPtr constructor_list,
 	                   std::unique_ptr<std::vector<AttrPtr>> attrs,
-	                   TypePtr arg_type = nullptr);
+	                   TypePtr arg_type = nullptr,
 			   AttributesPtr arg_attrs = nullptr);
 	[[deprecated("Remove in v4.1.  Use GetAttrs().")]]
 	Attributes* Attrs() { return attrs.get(); }
@ -687,6 +846,9 @@ public:
 	ValPtr Eval(Frame* f) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
@ -702,6 +864,9 @@ public:
 	ValPtr Eval(Frame* f) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
@ -717,6 +882,9 @@ public:
 	void EvalIntoAggregate(const zeek::Type* t, Val* aggr, Frame* f) const override;
 	bool IsRecordElement(TypeDecl* td) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	void ExprDescribe(ODesc* d) const override;
@ -727,6 +895,9 @@ class ArithCoerceExpr final : public UnaryExpr {
 public:
 	ArithCoerceExpr(ExprPtr op, TypeTag t);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr FoldSingleVal(Val* v, InternalTypeTag t) const;
 	ValPtr Fold(Val* v) const override;
@ -737,6 +908,9 @@ public:
 	RecordCoerceExpr(ExprPtr op, RecordTypePtr r);
 	~RecordCoerceExpr() override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
 	ValPtr Fold(Val* v) const override;
@ -752,6 +926,9 @@ public:
 	TableCoerceExpr(ExprPtr op, TableTypePtr r);
 	~TableCoerceExpr() override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@ -761,6 +938,9 @@ public:
 	VectorCoerceExpr(ExprPtr op, VectorTypePtr v);
 	~VectorCoerceExpr() override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
 };
@ -790,6 +970,10 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 	ExprPtr Inline(Inliner* inl) override;
 protected:
 	void ExprDescribe(ODesc* d) const override;
@ -801,6 +985,9 @@ class InExpr final : public BinaryExpr {
 public:
 	InExpr(ExprPtr op1, ExprPtr op2);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v1, Val* v2) const override;
@ -820,6 +1007,10 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 	ExprPtr Inline(Inliner* inl) override;
 protected:
 	void ExprDescribe(ODesc* d) const override;
@ -843,6 +1034,10 @@ public:
 	Scope* GetScope() const;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 	ExprPtr Inline(Inliner* inl) override;
 protected:
 	void ExprDescribe(ODesc* d) const override;
@ -869,6 +1064,10 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 	ExprPtr Inline(Inliner* inl) override;
 protected:
 	void ExprDescribe(ODesc* d) const override;
@ -900,6 +1099,10 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 	ExprPtr Inline(Inliner* inl) override;
 protected:
 	ValPtr AddSetInit(const zeek::Type* t, ValPtr aggr) const;
@ -918,6 +1121,9 @@ class CastExpr final : public UnaryExpr {
 public:
 	CastExpr(ExprPtr op, TypePtr t);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Eval(Frame* f) const override;
 	void ExprDescribe(ODesc* d) const override;
@ -927,6 +1133,9 @@ class IsExpr final : public UnaryExpr {
 public:
 	IsExpr(ExprPtr op, TypePtr t);
 	// Optimization-related:
 	ExprPtr Duplicate() override;
 protected:
 	ValPtr Fold(Val* v) const override;
 	void ExprDescribe(ODesc* d) const override;
@ -935,6 +1144,33 @@ private:
 	TypePtr t;
 };
 class InlineExpr : public Expr {
 public:
 	InlineExpr(ListExprPtr arg_args, std::vector<IDPtr> params, StmtPtr body,
 	           int frame_offset, TypePtr ret_type);
 	bool IsPure() const override;
 	ListExprPtr Args() const	{ return args; }
 	StmtPtr Body() const		{ return body; }
 	ValPtr Eval(Frame* f) const override;
 	ExprPtr Duplicate() override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 protected:
 	void ExprDescribe(ODesc* d) const override;
 	std::vector<IDPtr> params;
 	int frame_offset;
 	ListExprPtr args;
 	StmtPtr body;
 };
 inline Val* Expr::ExprVal() const
 	{
 	if ( ! IsConst() )
--- a/src/Frame.cc
+++ b/src/Frame.cc
@ -39,6 +39,7 @@ Frame::Frame(int arg_size, const ScriptFunc* func, const zeek::Args* fn_args)
 	captures = function ? function->GetCapturesFrame() : nullptr;
 	captures_offset_map =
 		function ? function->GetCapturesOffsetMap() : nullptr;
 	current_offset = 0;
 	}
 Frame::~Frame()
@ -77,12 +78,16 @@ void Frame::SetElement(int n, Val* v)
 void Frame::SetElement(int n, ValPtr v)
 	{
 	n += current_offset;
 	ClearElement(n);
 	frame[n] = {std::move(v), false};
 	}
 void Frame::SetElementWeak(int n, Val* v)
 	{
 	n += current_offset;
 	ClearElement(n);
 	frame[n] = {{AdoptRef{}, v}, true};
 	}
@ -140,10 +145,10 @@ const ValPtr& Frame::GetElementByID(const ID* id) const
 		{
 		auto where = offset_map->find(std::string(id->Name()));
 		if ( where != offset_map->end() )
-			return frame[where->second].val;
+			return frame[where->second + current_offset].val;
 		}
-	return frame[id->Offset()].val;
+	return frame[id->Offset() + current_offset].val;
 	}
 void Frame::Reset(int startIdx)
@ -162,7 +167,7 @@ void Frame::Reset(int startIdx)
 		functions_with_closure_frame_reference.reset();
 		}
-	for ( int i = startIdx; i < size; ++i )
+	for ( int i = startIdx + current_offset; i < size; ++i )
 		ClearElement(i);
 	}
@ -267,7 +272,7 @@ Frame* Frame::SelectiveClone(const IDPList& selection, ScriptFunc* func) const
 				}
 			}
-		if ( ! frame[id->Offset()].val )
+		if ( ! frame[id->Offset() + current_offset].val )
 			reporter->InternalError("Attempted to clone an id ('%s') with no associated value.", id->Name());
 		CloneNonFuncElement(id->Offset(), func, other);
--- a/src/Frame.h
+++ b/src/Frame.h
@ -59,7 +59,12 @@ public:
 	 * @return the value at index *n* of the underlying array.
 	 */
 	const ValPtr& GetElement(int n) const
-		{ return frame[n].val; }
+		{
 		// Note: technically this may want to adjust by current_offset, but
 		// in practice, this method is never called from anywhere other than
 		// function call invocation, where current_offset should be zero.
 		return frame[n].val;
 		}
 	[[deprecated("Remove in v4.1.  Use GetElement(int).")]]
 	Val* NthElement(int n) const	{ return frame[n].val.get(); }
@ -99,6 +104,15 @@ public:
 	Val* GetElement(const ID* id) const
 		{ return GetElementByID(id).get(); }
 	/**
 	 * Adjusts the current offset being used for frame accesses.
 	 * This is in support of inlined functions.
 	 *
 	 * @param incr  Amount by which to increase the frame offset.
 	 *              Use a negative value to shrink the offset.
 	 */
 	void AdjustOffset(int incr)   { current_offset += incr; }
 	/**
 	 * Resets all of the indexes from [*startIdx, frame_size) in
 	 * the Frame.
@ -338,6 +352,13 @@ private:
 	/** Associates ID's offsets with values. */
 	std::unique_ptr<Element[]> frame;
 	/**
 	 * The offset we're currently using for references into the frame.
 	 * This is how we support inlined functions without having to
 	 * alter the offsets associated with their local variables.
 	 */
 	int current_offset;
 	/** The enclosing frame of this frame. Used for reference semantics. */
 	Frame* closure;
--- a/src/Func.cc
+++ b/src/Func.cc
@ -310,6 +310,7 @@ ScriptFunc::ScriptFunc(const IDPtr& arg_id, StmtPtr arg_body,
 		{
 		Body b;
 		b.stmts = AddInits(std::move(arg_body), aggr_inits);
 		current_body = b.stmts;
 		b.priority = priority;
 		bodies.push_back(b);
 		}
@ -387,8 +388,7 @@ ValPtr ScriptFunc::Invoke(zeek::Args* args, Frame* parent) const
 	for ( const auto& body : bodies )
 		{
 		if ( sample_logger )
-			sample_logger->LocationSeen(
+			sample_logger->LocationSeen(body.stmts->GetLocationInfo());
 				body.stmts->GetLocationInfo());
 		// Fill in the rest of the frame with the function's arguments.
 		for ( auto j = 0u; j < args->size(); ++j )
@ -550,6 +550,8 @@ void ScriptFunc::AddBody(StmtPtr new_body,
 	b.stmts = new_body;
 	b.priority = priority;
 	current_body = new_body;
 	bodies.push_back(b);
 	sort(bodies.begin(), bodies.end());
 	}
@ -701,6 +703,7 @@ BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
 	type = id->GetType<FuncType>();
 	id->SetVal(make_intrusive<Val>(IntrusivePtr{NewRef{}, this}));
 	id->SetConst();
 	}
 BuiltinFunc::~BuiltinFunc()
--- a/src/Func.h
+++ b/src/Func.h
@ -10,6 +10,7 @@
 #include <type_traits>
 #include "zeek/ZeekList.h"
 #include "zeek/Stmt.h"
 #include "zeek/Obj.h"
 #include "zeek/IntrusivePtr.h"
 #include "zeek/Type.h" /* for function_flavor */
@ -43,6 +44,8 @@ using ScopePtr = IntrusivePtr<Scope>;
 using IDPtr = IntrusivePtr<ID>;
 using StmtPtr = IntrusivePtr<Stmt>;
 class ScriptFunc;
 } // namespace detail
 class Func;
@ -232,6 +235,22 @@ public:
 	             const std::vector<IDPtr>& new_inits,
 	             size_t new_frame_size, int priority) override;
 	StmtPtr CurrentBody() const		{ return current_body; }
 	/**
 	 * Returns the function's frame size.
 	 * @return  The number of ValPtr slots in the function's frame.
 	 */
 	int FrameSize() const			{ return frame_size; }
 	/**
 	 * Changes the function's frame size to a new size - used for
 	 * script optimization/compilation.
 	 * 
 	 * @param new_size  The frame size the function should use.
 	 */
 	void SetFrameSize(int new_size)		{ frame_size = new_size; }
 	/** Sets this function's outer_id list. */
 	void SetOuterIDs(IDPList ids)
 		{ outer_ids = std::move(ids); }
@ -283,6 +302,9 @@ private:
 	Frame* captures_frame = nullptr;
 	OffsetMap* captures_offset_mapping = nullptr;
 	// The most recently added/updated body.
 	StmtPtr current_body;
 };
 using built_in_func = BifReturnVal (*)(Frame* frame, const Args* args);
--- a/src/Obj.h
+++ b/src/Obj.h
@ -110,7 +110,7 @@ public:
 	void AddLocation(ODesc* d) const;
 	// Get location info for debugging.
-	const detail::Location* GetLocationInfo() const
+	virtual const detail::Location* GetLocationInfo() const
 		{ return location ? location : &detail::no_location; }
 	virtual bool SetLocationInfo(const detail::Location* loc)
--- a/src/Options.cc
+++ b/src/Options.cc
@ -3,6 +3,7 @@
 #include "zeek-config.h"
 #include "zeek/Options.h"
 #include "zeek/script_opt/ScriptOpt.h"
 #include <unistd.h>
@ -104,6 +105,7 @@ void usage(const char* prog, int code)
 	fprintf(stderr, "    -H|--save-seeds <file>         | save seeds to given file\n");
 	fprintf(stderr, "    -I|--print-id <ID name>        | print out given ID\n");
 	fprintf(stderr, "    -N|--print-plugins             | print available plugins and exit (-NN for verbose)\n");
 	fprintf(stderr, "    -O|--optimize[=<option>]       | enable script optimization (use -O help for options)\n");
 	fprintf(stderr, "    -P|--prime-dns                 | prime DNS\n");
 	fprintf(stderr, "    -Q|--time                      | print execution time summary to stderr\n");
 	fprintf(stderr, "    -S|--debug-rules               | enable rule debugging\n");
@ -141,6 +143,30 @@ void usage(const char* prog, int code)
 	exit(code);
 	}
 static void set_analysis_option(const char* opt, Options& opts)
 	{
 	if ( util::streq(opt, "help") )
 		{
 		fprintf(stderr, "--optimize options:\n");
 		fprintf(stderr, "    help	print this list\n");
 		fprintf(stderr, "    inline	inline function calls\n");
 		fprintf(stderr, "    recursive	report on recursive functions and exit\n");
 		exit(0);
 		}
 	if ( util::streq(opt, "inline") )
 		opts.analysis_options.inliner = true;
 	else if ( util::streq(opt, "recursive") )
 		opts.analysis_options.inliner =
 			opts.analysis_options.report_recursive = true;
 	else
 		{
 		fprintf(stderr,"zeek: unrecognized --optimize option: %s\n", opt);
 		exit(1);
 		}
 	}
 Options parse_cmdline(int argc, char** argv)
 	{
 	Options rval;
@ -252,6 +278,7 @@ Options parse_cmdline(int argc, char** argv)
 		{"load-seeds",		required_argument,	nullptr,	'G'},
 		{"save-seeds",		required_argument,	nullptr,	'H'},
 		{"print-plugins",	no_argument,		nullptr,	'N'},
 		{"optimize",		required_argument,	nullptr,	'O'},
 		{"prime-dns",		no_argument,		nullptr,	'P'},
 		{"time",		no_argument,		nullptr,	'Q'},
 		{"debug-rules",		no_argument,		nullptr,	'S'},
@ -279,7 +306,7 @@ Options parse_cmdline(int argc, char** argv)
 	};
 	char opts[256];
-	util::safe_strncpy(opts, "B:e:f:G:H:I:i:j::n:p:r:s:T:t:U:w:X:CDFNPQSWabdhv",
+	util::safe_strncpy(opts, "B:e:f:G:H:I:i:j::n:O:p:r:s:T:t:U:w:X:CDFNPQSWabdhv",
 	                         sizeof(opts));
 #ifdef USE_PERFTOOLS_DEBUG
@ -401,6 +428,9 @@ Options parse_cmdline(int argc, char** argv)
 		case 'N':
 			++rval.print_plugins;
 			break;
 		case 'O':
 			set_analysis_option(optarg, rval);
 			break;
 		case 'P':
 			if ( rval.dns_mode != detail::DNS_DEFAULT )
 				usage(zargs[0], 1);
--- a/src/Options.h
+++ b/src/Options.h
@ -7,6 +7,7 @@
 #include <vector>
 #include "zeek/DNS_Mgr.h"
 #include "zeek/script_opt/ScriptOpt.h"
 namespace zeek {
@ -76,6 +77,9 @@ struct Options {
 	std::vector<std::string> script_options_to_set;
 	std::vector<std::string> script_args;
 	// For script optimization:
 	detail::AnalyOpt analysis_options;
 };
 /**
--- a/src/Scope.cc
+++ b/src/Scope.cc
@ -47,20 +47,6 @@ const IDPtr& Scope::Find(std::string_view name) const
 	return ID::nil;
 	}
 IDPtr Scope::Remove(std::string_view name)
 	{
 	auto entry = local.find(name);
 	if ( entry != local.end() )
 		{
 		auto id = std::move(entry->second);
 		local.erase(entry);
 		return id;
 		}
 	return nullptr;
 	}
 IDPtr Scope::GenerateTemporary(const char* name)
 	{
 	return make_intrusive<ID>(name, SCOPE_FUNCTION, false);
@ -188,6 +174,7 @@ IDPtr install_ID(const char* name, const char* module_name,
 void push_existing_scope(Scope* scope)
 	{
 	top_scope = scope;
 	scopes.push_back(scope);
 	}
--- a/src/Scope.h
+++ b/src/Scope.h
@ -44,9 +44,11 @@ public:
 		{ return Find(name).get(); }
 	template<typename N, typename I>
-	void Insert(N&& name, I&& id) { local[std::forward<N>(name)] = std::forward<I>(id); }
+	void Insert(N&& name, I&& id)
-
+		{
-	IDPtr Remove(std::string_view name);
+		local[std::forward<N>(name)] = std::forward<I>(id);
 		ordered_vars.push_back(std::forward<I>(id));
 		}
 	[[deprecated("Remove in v4.1.  Use GetID().")]]
 	ID* ScopeID() const		{ return scope_id.get(); }
@ -64,7 +66,8 @@ public:
 		{ return return_type; }
 	size_t Length() const		{ return local.size(); }
-	const auto& Vars()	{ return local; }
+	const auto& Vars() const	{ return local; }
 	const auto& OrderedVars() const	{ return ordered_vars; }
 	IDPtr GenerateTemporary(const char* name);
@ -86,6 +89,13 @@ protected:
 	TypePtr return_type;
 	std::map<std::string, IDPtr, std::less<>> local;
 	std::vector<IDPtr> inits;
 	// We keep track of identifiers in the order that they're added.
 	// This is necessary for script optimization to be able to find
 	// event/hook parameters for instances where the declaration of
 	// an additional handler uses different names for the parameters
 	// than the original declaration.
 	std::vector<IntrusivePtr<ID>> ordered_vars;
 };
 // If no_global is true, don't search in the default "global" namespace.
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@ -70,6 +70,30 @@ ForStmt* Stmt::AsForStmt()
 	return (ForStmt*) this;
 	}
 const ForStmt* Stmt::AsForStmt() const
 	{
 	CHECK_TAG(tag, STMT_FOR, "Stmt::AsForStmt", stmt_name)
 	return (const ForStmt*) this;
 	}
 const InitStmt* Stmt::AsInitStmt() const
 	{
 	CHECK_TAG(tag, STMT_INIT, "Stmt::AsInitStmt", stmt_name)
 	return (const InitStmt*) this;
 	}
 const WhenStmt* Stmt::AsWhenStmt() const
 	{
 	CHECK_TAG(tag, STMT_WHEN, "Stmt::AsWhenStmt", stmt_name)
 	return (const WhenStmt*) this;
 	}
 const SwitchStmt* Stmt::AsSwitchStmt() const
 	{
 	CHECK_TAG(tag, STMT_SWITCH, "Stmt::AsSwitchStmt", stmt_name)
 	return (const SwitchStmt*) this;
 	}
 bool Stmt::SetLocationInfo(const Location* start, const Location* end)
 	{
 	if ( ! Obj::SetLocationInfo(start, end) )
@ -111,6 +135,11 @@ bool Stmt::IsPure() const
 	}
 void Stmt::Describe(ODesc* d) const
 	{
 	StmtDescribe(d);
 	}
 void Stmt::StmtDescribe(ODesc* d) const
 	{
 	if ( ! d->IsReadable() || Tag() != STMT_EXPR )
 		AddTag(d);
@ -181,9 +210,9 @@ ValPtr ExprListStmt::Exec(Frame* f, StmtFlowType& flow) const
 	return nullptr;
 	}
-void ExprListStmt::Describe(ODesc* d) const
+void ExprListStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	l->Describe(d);
 	DescribeDone(d);
 	}
@ -348,9 +377,9 @@ bool ExprStmt::IsPure() const
 	return ! e || e->IsPure();
 	}
-void ExprStmt::Describe(ODesc* d) const
+void ExprStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	if ( d->IsReadable() && Tag() == STMT_IF )
 		d->Add("(");
@ -425,9 +454,9 @@ bool IfStmt::IsPure() const
 	return e->IsPure() && s1->IsPure() && s2->IsPure();
 	}
-void IfStmt::Describe(ODesc* d) const
+void IfStmt::StmtDescribe(ODesc* d) const
 	{
-	ExprStmt::Describe(d);
+	ExprStmt::StmtDescribe(d);
 	d->PushIndent();
 	s1->AccessStats(d);
@ -895,9 +924,9 @@ bool SwitchStmt::IsPure() const
 	return true;
 	}
-void SwitchStmt::Describe(ODesc* d) const
+void SwitchStmt::StmtDescribe(ODesc* d) const
 	{
-	ExprStmt::Describe(d);
+	ExprStmt::StmtDescribe(d);
 	if ( ! d->IsBinary() )
 		d->Add("{");
@ -1048,9 +1077,9 @@ bool WhileStmt::IsPure() const
 	return loop_condition->IsPure() && body->IsPure();
 	}
-void WhileStmt::Describe(ODesc* d) const
+void WhileStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	if ( d->IsReadable() )
 		d->Add("(");
@ -1326,9 +1355,9 @@ bool ForStmt::IsPure() const
 	return e->IsPure() && body->IsPure();
 	}
-void ForStmt::Describe(ODesc* d) const
+void ForStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	if ( d->IsReadable() )
 		d->Add("(");
@ -1395,9 +1424,9 @@ bool NextStmt::IsPure() const
 	return true;
 	}
-void NextStmt::Describe(ODesc* d) const
+void NextStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	Stmt::DescribeDone(d);
 	}
@ -1422,9 +1451,9 @@ bool BreakStmt::IsPure() const
 	return true;
 	}
-void BreakStmt::Describe(ODesc* d) const
+void BreakStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	Stmt::DescribeDone(d);
 	}
@ -1449,9 +1478,9 @@ bool FallthroughStmt::IsPure() const
 	return false;
 	}
-void FallthroughStmt::Describe(ODesc* d) const
+void FallthroughStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	Stmt::DescribeDone(d);
 	}
@ -1519,9 +1548,9 @@ ValPtr ReturnStmt::Exec(Frame* f, StmtFlowType& flow) const
 		return nullptr;
 	}
-void ReturnStmt::Describe(ODesc* d) const
+void ReturnStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	if ( ! d->IsReadable() )
 		d->Add(e != nullptr);
@ -1581,7 +1610,7 @@ bool StmtList::IsPure() const
 	return true;
 	}
-void StmtList::Describe(ODesc* d) const
+void StmtList::StmtDescribe(ODesc* d) const
 	{
 	if ( ! d->IsReadable() )
 		{
@ -1657,7 +1686,7 @@ ValPtr EventBodyList::Exec(Frame* f, StmtFlowType& flow) const
 	return nullptr;
 	}
-void EventBodyList::Describe(ODesc* d) const
+void EventBodyList::StmtDescribe(ODesc* d) const
 	{
 	if ( d->IsReadable() && stmts.length() > 0 )
 		{
@ -1681,7 +1710,7 @@ void EventBodyList::Describe(ODesc* d) const
 		}
 	else
-		StmtList::Describe(d);
+		StmtList::StmtDescribe(d);
 	}
 InitStmt::InitStmt(std::vector<IDPtr> arg_inits) : Stmt(STMT_INIT)
@ -1724,7 +1753,7 @@ ValPtr InitStmt::Exec(Frame* f, StmtFlowType& flow) const
 	return nullptr;
 	}
-void InitStmt::Describe(ODesc* d) const
+void InitStmt::StmtDescribe(ODesc* d) const
 	{
 	AddTag(d);
@ -1769,7 +1798,7 @@ bool NullStmt::IsPure() const
 	return true;
 	}
-void NullStmt::Describe(ODesc* d) const
+void NullStmt::StmtDescribe(ODesc* d) const
 	{
 	if ( d->IsReadable() )
 		DescribeDone(d);
@ -1831,9 +1860,9 @@ bool WhenStmt::IsPure() const
 	return cond->IsPure() && s1->IsPure() && (! s2 || s2->IsPure());
 	}
-void WhenStmt::Describe(ODesc* d) const
+void WhenStmt::StmtDescribe(ODesc* d) const
 	{
-	Stmt::Describe(d);
+	Stmt::StmtDescribe(d);
 	if ( d->IsReadable() )
 		d->Add("(");
--- a/src/Stmt.h
+++ b/src/Stmt.h
@ -2,86 +2,27 @@
 #pragma once
 // Zeek statements.
 #include "zeek/StmtBase.h"
 #include "zeek/ZeekList.h"
 #include "zeek/Dict.h"
 #include "zeek/ID.h"
 #include "zeek/Obj.h"
 #include "zeek/StmtEnums.h"
 #include "zeek/TraverseTypes.h"
 ZEEK_FORWARD_DECLARE_NAMESPACED(CompositeHash, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Frame, zeek::detail);
 namespace zeek::run_state { extern double network_time; }
 namespace zeek::detail {
 class StmtList;
 class ForStmt;
 class EventExpr;
 class ListExpr;
 using EventExprPtr = IntrusivePtr<EventExpr>;
 using ListExprPtr = IntrusivePtr<ListExpr>;
 class Stmt;
 using StmtPtr = IntrusivePtr<Stmt>;
 class Stmt : public Obj {
 public:
 	StmtTag Tag() const	{ return tag; }
 	~Stmt() override;
 	virtual ValPtr Exec(Frame* f, StmtFlowType& flow) const = 0;
 	Stmt* Ref()			{ zeek::Ref(this); return this; }
 	bool SetLocationInfo(const Location* loc) override
 		{ return Stmt::SetLocationInfo(loc, loc); }
 	bool SetLocationInfo(const Location* start, const Location* end) override;
 	// True if the statement has no side effects, false otherwise.
 	virtual bool IsPure() const;
 	StmtList* AsStmtList();
 	const StmtList* AsStmtList() const;
 	ForStmt* AsForStmt();
 	void RegisterAccess() const	{ last_access = run_state::network_time; access_count++; }
 	void AccessStats(ODesc* d) const;
 	uint32_t GetAccessCount() const { return access_count; }
 	void Describe(ODesc* d) const override;
 	virtual void IncrBPCount()	{ ++breakpoint_count; }
 	virtual void DecrBPCount();
 	virtual unsigned int BPCount() const	{ return breakpoint_count; }
 	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
 protected:
 	explicit Stmt(StmtTag arg_tag);
 	void AddTag(ODesc* d) const;
 	void DescribeDone(ODesc* d) const;
 	StmtTag tag;
 	int breakpoint_count;	// how many breakpoints on this statement
 	// FIXME: Learn the exact semantics of mutable.
 	mutable double last_access;	// time of last execution
 	mutable uint32_t access_count;	// number of executions
 };
 class ExprListStmt : public Stmt {
 public:
 	const ListExpr* ExprList() const	{ return l.get(); }
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	void Inline(Inliner* inl) override;
 protected:
 	ExprListStmt(StmtTag t, ListExprPtr arg_l);
@ -91,7 +32,7 @@ protected:
 	virtual ValPtr DoExec(std::vector<ValPtr> vals,
 	                      StmtFlowType& flow) const = 0;
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	ListExprPtr l;
 };
@ -101,6 +42,9 @@ public:
 	template<typename L>
 	explicit PrintStmt(L&& l) : ExprListStmt(STMT_PRINT, std::forward<L>(l)) { }
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 protected:
 	ValPtr DoExec(std::vector<ValPtr> vals,
 	              StmtFlowType& flow) const override;
@ -115,10 +59,14 @@ public:
 	const Expr* StmtExpr() const	{ return e.get(); }
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 	void Inline(Inliner* inl) override;
 protected:
 	ExprStmt(StmtTag t, ExprPtr e);
@ -137,10 +85,14 @@ public:
 	const Stmt* TrueBranch() const	{ return s1.get(); }
 	const Stmt* FalseBranch() const	{ return s2.get(); }
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 	void Inline(Inliner* inl) override;
 protected:
 	ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
 	bool IsPure() const override;
@ -167,6 +119,9 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const;
 	// Optimization-related:
 	IntrusivePtr<Case> Duplicate();
 protected:
 	ListExprPtr expr_cases;
 	IDPList* type_cases;
@ -182,10 +137,14 @@ public:
 	const case_list* Cases() const	{ return cases; }
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 	void Inline(Inliner* inl) override;
 protected:
 	ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
 	bool IsPure() const override;
@ -224,6 +183,9 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 };
 class DelStmt final : public ExprStmt {
@ -234,6 +196,9 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 };
 class EventStmt final : public ExprStmt {
@ -244,6 +209,9 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 protected:
 	EventExprPtr event_expr;
 };
@ -256,15 +224,27 @@ public:
 	bool IsPure() const override;
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	const Stmt* CondStmt() const
 		{ return loop_cond_stmt ? loop_cond_stmt.get() : nullptr; }
 	StmtPtr Duplicate() override;
 	void Inline(Inliner* inl) override;
 protected:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	ExprPtr loop_condition;
 	StmtPtr body;
 	// Optimization-related member variables.
 	// When in reduced form, the following holds a statement (which
 	// might be a block) for evaluating the loop's conditional.
 	StmtPtr loop_cond_stmt = nullptr;
 };
 class ForStmt final : public ExprStmt {
@ -276,16 +256,21 @@ public:
 	void AddBody(StmtPtr arg_body)	{ body = std::move(arg_body); }
-	const IDPList* LoopVar() const	{ return loop_vars; }
+	const IDPList* LoopVars() const	{ return loop_vars; }
 	IDPtr ValueVar() const		{ return value_var; }
 	const Expr* LoopExpr() const	{ return e.get(); }
 	const Stmt* LoopBody() const	{ return body.get(); }
 	bool IsPure() const override;
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 	void Inline(Inliner* inl) override;
 protected:
 	ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
@ -303,10 +288,12 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override	{ return SetSucc(new NextStmt()); }
 protected:
 };
@ -317,10 +304,13 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override	{ return SetSucc(new BreakStmt()); }
 protected:
 };
@ -331,10 +321,14 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override
 		{ return SetSucc(new FallthroughStmt()); }
 protected:
 };
@ -344,7 +338,14 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 	// Constructor used for duplication, when we've already done
 	// all of the type-checking.
 	ReturnStmt(ExprPtr e, bool ignored);
 };
 class StmtList : public Stmt {
@ -357,10 +358,14 @@ public:
 	const StmtPList& Stmts() const	{ return stmts; }
 	StmtPList& Stmts()		{ return stmts; }
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 	void Inline(Inliner* inl) override;
 protected:
 	bool IsPure() const override;
@ -374,7 +379,7 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	// "Topmost" means that this is the main body of a function or event.
 	// void SetTopmost(bool is_topmost)	{ topmost = is_topmost; }
@ -393,10 +398,13 @@ public:
 	const std::vector<IDPtr>& Inits() const
 		{ return inits; }
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 protected:
 	std::vector<IDPtr> inits;
 };
@ -408,9 +416,12 @@ public:
 	ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
 	bool IsPure() const override;
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override	{ return SetSucc(new NullStmt()); }
 };
 class WhenStmt final : public Stmt {
@ -429,10 +440,14 @@ public:
 	const Expr* TimeoutExpr() const	{ return timeout.get(); }
 	const Stmt* TimeoutBody() const	{ return s2.get(); }
-	void Describe(ODesc* d) const override;
+	void StmtDescribe(ODesc* d) const override;
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 	// Optimization-related:
 	StmtPtr Duplicate() override;
 	void Inline(Inliner* inl) override;
 protected:
 	ExprPtr cond;
 	StmtPtr s1;
@ -443,7 +458,6 @@ protected:
 } // namespace zeek::detail
 using Stmt [[deprecated("Remove in v4.1. Use zeek::detail::Stmt instead.")]] = zeek::detail::Stmt;
 using ExprListStmt [[deprecated("Remove in v4.1. Use zeek::detail::ExprListStmt instead.")]] = zeek::detail::ExprListStmt;
 using PrintStmt [[deprecated("Remove in v4.1. Use zeek::detail::PrintStmt instead.")]] = zeek::detail::PrintStmt;
 using ExprStmt [[deprecated("Remove in v4.1. Use zeek::detail::ExprStmt instead.")]] = zeek::detail::ExprStmt;
--- a/src/StmtBase.h
+++ b/src/StmtBase.h
@ -0,0 +1,146 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #pragma once
 // Base class for Zeek statements.  We maintain it separately from
 // the bulk of Stmt.h to allow Expr.h to include it, necessary for
 // Expr.h to use StmtPtr.
 #include "zeek/Obj.h"
 #include "zeek/IntrusivePtr.h"
 #include "zeek/StmtEnums.h"
 #include "zeek/TraverseTypes.h"
 #include "zeek/util.h"
 ZEEK_FORWARD_DECLARE_NAMESPACED(CompositeHash, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Frame, zeek::detail);
 namespace zeek::run_state { extern double network_time; }
 namespace zeek {
 class Val;
 using ValPtr = IntrusivePtr<Val>;
 }
 namespace zeek::detail {
 class StmtList;
 class ForStmt;
 class InitStmt;
 class WhenStmt;
 class SwitchStmt;
 class EventExpr;
 class ListExpr;
 using EventExprPtr = IntrusivePtr<EventExpr>;
 using ListExprPtr = IntrusivePtr<ListExpr>;
 class Inliner;
 class Stmt;
 using StmtPtr = IntrusivePtr<Stmt>;
 class Stmt : public Obj {
 public:
 	StmtTag Tag() const	{ return tag; }
 	~Stmt() override;
 	virtual ValPtr Exec(Frame* f, StmtFlowType& flow) const = 0;
 	Stmt* Ref()			{ zeek::Ref(this); return this; }
 	bool SetLocationInfo(const Location* loc) override
 		{ return Stmt::SetLocationInfo(loc, loc); }
 	bool SetLocationInfo(const Location* start, const Location* end) override;
 	// True if the statement has no side effects, false otherwise.
 	virtual bool IsPure() const;
 	StmtList* AsStmtList();
 	const StmtList* AsStmtList() const;
 	ForStmt* AsForStmt();
 	const ForStmt* AsForStmt() const;
 	const InitStmt* AsInitStmt() const;
 	const WhenStmt* AsWhenStmt() const;
 	const SwitchStmt* AsSwitchStmt() const;
 	void RegisterAccess() const	{ last_access = run_state::network_time; access_count++; }
 	void AccessStats(ODesc* d) const;
 	uint32_t GetAccessCount() const { return access_count; }
 	void Describe(ODesc* d) const final;
 	virtual void IncrBPCount()	{ ++breakpoint_count; }
 	virtual void DecrBPCount();
 	virtual unsigned int BPCount() const	{ return breakpoint_count; }
 	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
 	// Returns a duplicate of the statement.
 	virtual StmtPtr Duplicate() = 0;
 	// Recursively traverses the AST to inline eligible function calls.
 	virtual void Inline(Inliner* inl)	{ }
 	// Access to the original statement from which this one is derived,
 	// or this one if we don't have an original.  Returns a bare pointer
 	// rather than a StmtPtr to emphasize that the access is read-only.
 	const Stmt* Original() const
 		{ return original ? original->Original() : this; }
 	// Designate the given Stmt node as the original for this one.
 	void SetOriginal(StmtPtr _orig)
 		{
 		if ( ! original )
 			original = std::move(_orig);
 		}
 	// A convenience function for taking a newly-created Stmt,
 	// making it point to us as the successor, and returning it.
 	//
 	// Takes a Stmt* rather than a StmtPtr to de-clutter the calling
 	// code, which is always passing in "new XyzStmt(...)".  This
 	// call, as a convenient side effect, transforms that bare pointer
 	// into a StmtPtr.
 	virtual StmtPtr SetSucc(Stmt* succ)
 		{
 		succ->SetOriginal({NewRef{}, this});
 		return {AdoptRef{}, succ};
 		}
 	const detail::Location* GetLocationInfo() const override
 		{
 		if ( original )
 			return original->GetLocationInfo();
 		else
 			return Obj::GetLocationInfo();
 		}
 protected:
 	explicit Stmt(StmtTag arg_tag);
 	void AddTag(ODesc* d) const;
 	virtual void StmtDescribe(ODesc* d) const;
 	void DescribeDone(ODesc* d) const;
 	StmtTag tag;
 	int breakpoint_count;	// how many breakpoints on this statement
 	// FIXME: Learn the exact semantics of mutable.
 	mutable double last_access;	// time of last execution
 	mutable uint32_t access_count;	// number of executions
 	// The original statement from which this statement was
 	// derived, if any.  Used as an aid for generating meaningful
 	// and correctly-localized error messages.
 	StmtPtr original = nullptr;
 };
 } // namespace zeek::detail
 using Stmt [[deprecated("Remove in v4.1. Use zeek::detail::Stmt instead.")]] = zeek::detail::Stmt;
--- a/src/TraverseTypes.h
+++ b/src/TraverseTypes.h
@ -16,8 +16,10 @@ enum TraversalCode {
 #define HANDLE_TC_STMT_PRE(code) \
 	{ \
-	if ( (code) == zeek::detail::TC_ABORTALL || (code) == zeek::detail::TC_ABORTSTMT ) \
+	if ( (code) == zeek::detail::TC_ABORTALL ) \
 		return (code); \
 	else if ( (code) == zeek::detail::TC_ABORTSTMT ) \
 		return zeek::detail::TC_CONTINUE; \
 	}
 #define HANDLE_TC_STMT_POST(code) \
@ -32,8 +34,10 @@ enum TraversalCode {
 #define HANDLE_TC_EXPR_PRE(code) \
 	{ \
-	if ( (code) != zeek::detail::TC_CONTINUE ) \
+	if ( (code) == zeek::detail::TC_ABORTALL ) \
 		return (code); \
 	else if ( (code) == zeek::detail::TC_ABORTSTMT ) \
 		return zeek::detail::TC_CONTINUE; \
 	}
 #define HANDLE_TC_EXPR_POST(code) \
--- a/src/Var.cc
+++ b/src/Var.cc
@ -17,6 +17,8 @@
 #include "zeek/module_util.h"
 #include "zeek/ID.h"
 #include "zeek/script_opt/ScriptOpt.h"
 namespace zeek::detail {
 static ValPtr init_val(Expr* init, const Type* t, ValPtr aggr)
@ -717,8 +719,20 @@ TraversalCode OuterIDBindingFinder::PostExpr(const Expr* expr)
 	return TC_CONTINUE;
 	}
 static bool duplicate_ASTs = getenv("ZEEK_DUPLICATE_ASTS");
 void end_func(StmtPtr body)
 	{
 	if ( duplicate_ASTs && reporter->Errors() == 0 )
 		// Only try duplication in the absence of errors.  If errors
 		// have occurred, they can be re-generated during the
 		// duplication process, leading to regression failures due
 		// to duplicated error messages.
 		//
 		// We duplicate twice to make sure that the AST produced
 		// by duplicating can itself be correctly duplicated.
 		body = body->Duplicate()->Duplicate();
 	auto ingredients = std::make_unique<function_ingredients>(pop_scope(), std::move(body));
 	if ( ingredients->id->HasVal() )
@ -740,7 +754,11 @@ void end_func(StmtPtr body)
 		ingredients->id->SetConst();
 		}
-	ingredients->id->GetVal()->AsFunc()->SetScope(ingredients->scope);
+	auto func = cast_intrusive<ScriptFunc>(ingredients->id->GetVal()->AsFuncPtr());
 	func->SetScope(ingredients->scope);
 	analyze_func(std::move(func));
 	// Note: ideally, something would take ownership of this memory until the
 	// end of script execution, but that's essentially the same as the
 	// lifetime of the process at the moment, so ok to "leak" it.
--- a/src/broker/CMakeLists.txt
+++ b/src/broker/CMakeLists.txt
@ -5,11 +5,6 @@ include_directories(BEFORE
                    ${CMAKE_CURRENT_BINARY_DIR}
 )
 if ( ROCKSDB_INCLUDE_DIR )
    add_definitions(-DHAVE_ROCKSDB)
    include_directories(BEFORE ${ROCKSDB_INCLUDE_DIR})
 endif ()
 set(comm_SRCS
    Data.cc
    Manager.cc
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@ -252,9 +252,6 @@ void Manager::InitializeBrokerStoreForwarding()
 			case broker::backend::sqlite:
 				suffix = ".sqlite";
 				break;
 			case broker::backend::rocksdb:
 				suffix = ".rocksdb";
 				break;
 			default:
 				break;
 			}
@ -1596,9 +1593,6 @@ detail::StoreHandleVal* Manager::MakeMaster(const string& name, broker::backend
 		case broker::backend::sqlite:
 			suffix = ".sqlite";
 			break;
 		case broker::backend::rocksdb:
 			suffix = ".rocksdb";
 			break;
 		default:
 			break;
 		}
--- a/src/broker/Store.cc
+++ b/src/broker/Store.cc
@ -27,45 +27,11 @@ EnumValPtr query_status(bool success)
 void StoreHandleVal::ValDescribe(ODesc* d) const
 	{
 	//using BifEnum::Broker::BackendType;
 	d->Add("broker::store::");
 	//switch ( store_type ) {
  //  case broker::frontend::FRONTEND:
 	//	d->Add("frontend");
 	//	break;
  //  case broker::frontend::MASTER:
 	//	d->Add("master");
 	//	break;
  //  case broker::frontend::CLONE:
 	//	d->Add("clone");
 	//	break;
 	//default:
 	//	d->Add("unknown");
 	//	}
 	d->Add("{");
 	d->Add(store.name());
 	//if ( backend_type )
 	//	{
 	//	d->Add(", ");
 	//	switch ( *backend_type ) {
 	//	case BackendType::MEMORY:
 	//		d->Add("memory");
 	//		break;
 	//	case BackendType::SQLITE:
 	//		d->Add("sqlite");
 	//		break;
 	//	case BackendType::ROCKSDB:
 	//		d->Add("rocksdb");
 	//		break;
 	//	default:
 	//		d->Add("unknown");
 	//		}
 	//	}
 	d->Add("}");
 	}
@ -91,9 +57,6 @@ broker::backend to_backend_type(BifEnum::Broker::BackendType type)
 	case BifEnum::Broker::SQLITE:
 		return broker::backend::sqlite;
 	case BifEnum::Broker::ROCKSDB:
 		return broker::backend::rocksdb;
 	}
 	throw std::runtime_error("unknown broker backend");
@ -110,13 +73,6 @@ broker::backend_options to_backend_options(broker::backend backend,
 		return {{"path", path}};
 		}
 	case broker::backend::rocksdb:
 		{
 		auto path = options->GetField(1)->AsRecordVal()
 			->GetField(0)->AsStringVal()->CheckString();
 		return {{"path", path}};
 		}
 	default:
 		break;
 	}
--- a/src/broker/store.bif
+++ b/src/broker/store.bif
@ -20,7 +20,6 @@ type Broker::BackendOptions: record;
 enum BackendType %{
 	MEMORY,
 	SQLITE,
 	ROCKSDB,
 %}
 function Broker::__create_master%(id: string, b: BackendType,
--- a/src/script_opt/Expr.cc
+++ b/src/script_opt/Expr.cc
@ -0,0 +1,536 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 // Optimization-related methods for Expr classes.
 #include "zeek/Expr.h"
 #include "zeek/Stmt.h"
 #include "zeek/Func.h"
 #include "zeek/Frame.h"
 #include "zeek/Scope.h"
 #include "zeek/Desc.h"
 #include "zeek/Traverse.h"
 #include "zeek/Reporter.h"
 #include "zeek/script_opt/Inline.h"
 namespace zeek::detail {
 ExprPtr NameExpr::Duplicate()
 	{
 	return SetSucc(new NameExpr(id, in_const_init));
 	}
 ExprPtr ConstExpr::Duplicate()
 	{
 	return SetSucc(new ConstExpr(val));
 	}
 ExprPtr UnaryExpr::Inline(Inliner* inl)
 	{
 	op = op->Inline(inl);
 	return ThisPtr();
 	}
 ExprPtr BinaryExpr::Inline(Inliner* inl)
 	{
 	op1 = op1->Inline(inl);
 	op2 = op2->Inline(inl);
 	return ThisPtr();
 	}
 ExprPtr CloneExpr::Duplicate()
 	{
 	// oh the irony
 	return SetSucc(new CloneExpr(op->Duplicate()));
 	}
 ExprPtr IncrExpr::Duplicate()
 	{
 	return SetSucc(new IncrExpr(tag, op->Duplicate()));
 	}
 ExprPtr ComplementExpr::Duplicate()
 	{
 	return SetSucc(new ComplementExpr(op->Duplicate()));
 	}
 ExprPtr NotExpr::Duplicate()
 	{
 	return SetSucc(new NotExpr(op->Duplicate()));
 	}
 ExprPtr PosExpr::Duplicate()
 	{
 	return SetSucc(new PosExpr(op->Duplicate()));
 	}
 ExprPtr NegExpr::Duplicate()
 	{
 	return SetSucc(new NegExpr(op->Duplicate()));
 	}
 ExprPtr SizeExpr::Duplicate()
 	{
 	return SetSucc(new SizeExpr(op->Duplicate()));
 	}
 ExprPtr AddExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new AddExpr(op1_d, op2_d));
 	}
 ExprPtr AddToExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new AddToExpr(op1_d, op2_d));
 	}
 ExprPtr SubExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new SubExpr(op1_d, op2_d));
 	}
 ExprPtr RemoveFromExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new RemoveFromExpr(op1_d, op2_d));
 	}
 ExprPtr TimesExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new TimesExpr(op1_d, op2_d));
 	}
 ExprPtr DivideExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new DivideExpr(op1_d, op2_d));
 	}
 ExprPtr ModExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new ModExpr(op1_d, op2_d));
 	}
 ExprPtr BoolExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new BoolExpr(tag, op1_d, op2_d));
 	}
 ExprPtr BitExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new BitExpr(tag, op1_d, op2_d));
 	}
 ExprPtr EqExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new EqExpr(tag, op1_d, op2_d));
 	}
 ExprPtr RelExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new RelExpr(tag, op1_d, op2_d));
 	}
 ExprPtr CondExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	auto op3_d = op3->Duplicate();
 	return SetSucc(new CondExpr(op1_d, op2_d, op3_d));
 	}
 ExprPtr CondExpr::Inline(Inliner* inl)
 	{
 	op1 = op1->Inline(inl);
 	op2 = op2->Inline(inl);
 	op3 = op3->Inline(inl);
 	return ThisPtr();
 	}
 ExprPtr RefExpr::Duplicate()
 	{
 	return SetSucc(new RefExpr(op->Duplicate()));
 	}
 ExprPtr AssignExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new AssignExpr(op1_d, op2_d, is_init, val));
 	}
 ExprPtr IndexSliceAssignExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new IndexSliceAssignExpr(op1_d, op2_d, is_init));
 	}
 ExprPtr IndexExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_l = op2->Duplicate()->AsListExprPtr();
 	return SetSucc(new IndexExpr(op1_d, op2_l, is_slice));
 	}
 ExprPtr IndexExprWhen::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_l = op2->Duplicate()->AsListExprPtr();
 	return SetSucc(new IndexExprWhen(op1_d, op2_l, is_slice));
 	}
 ExprPtr FieldExpr::Duplicate()
 	{
 	return SetSucc(new FieldExpr(op->Duplicate(), field_name));
 	}
 ExprPtr HasFieldExpr::Duplicate()
 	{
 	return SetSucc(new HasFieldExpr(op->Duplicate(), field_name));
 	}
 ExprPtr RecordConstructorExpr::Duplicate()
 	{
 	auto op_l = op->Duplicate()->AsListExprPtr();
 	return SetSucc(new RecordConstructorExpr(op_l));
 	}
 ExprPtr TableConstructorExpr::Duplicate()
 	{
 	auto op_l = op->Duplicate()->AsListExprPtr();
 	TypePtr t;
 	if ( (type && type->GetName().size() > 0) ||
 	     ! op->AsListExpr()->Exprs().empty() )
 		t = type;
 	else
 		// Use a null type rather than the one inferred, to instruct
 		// the constructor to again infer the type.
 		t = nullptr;
 	return SetSucc(new TableConstructorExpr(op_l, nullptr, t, attrs));
 	}
 ExprPtr SetConstructorExpr::Duplicate()
 	{
 	auto op_l = op->Duplicate()->AsListExprPtr();
 	TypePtr t;
 	if ( (type && type->GetName().size() > 0) ||
 	     ! op->AsListExpr()->Exprs().empty() )
 		t = type;
 	else
 		// Use a null type rather than the one inferred, to instruct
 		// the constructor to again infer the type.
 		t = nullptr;
 	return SetSucc(new SetConstructorExpr(op_l, nullptr, t, attrs));
 	}
 ExprPtr VectorConstructorExpr::Duplicate()
 	{
 	auto op_l = op->Duplicate()->AsListExprPtr();
 	if ( op->AsListExpr()->Exprs().empty() )
 		return SetSucc(new VectorConstructorExpr(op_l, nullptr));
 	else
 		return SetSucc(new VectorConstructorExpr(op_l, type));
 	}
 ExprPtr FieldAssignExpr::Duplicate()
 	{
 	auto op_dup = op->Duplicate();
 	return SetSucc(new FieldAssignExpr(field_name.c_str(), op_dup));
 	}
 ExprPtr ArithCoerceExpr::Duplicate()
 	{
 	auto op_dup = op->Duplicate();
 	TypeTag tag;
 	if ( type->Tag() == TYPE_VECTOR )
 		tag = type->AsVectorType()->Yield()->Tag();
 	else
 		tag = type->Tag();
 	return SetSucc(new ArithCoerceExpr(op_dup, tag));
 	}
 ExprPtr RecordCoerceExpr::Duplicate()
 	{
 	auto op_dup = op->Duplicate();
 	return SetSucc(new RecordCoerceExpr(op_dup, GetType<RecordType>()));
 	}
 ExprPtr TableCoerceExpr::Duplicate()
 	{
 	auto op_dup = op->Duplicate();
 	return SetSucc(new TableCoerceExpr(op_dup, GetType<TableType>()));
 	}
 ExprPtr VectorCoerceExpr::Duplicate()
 	{
 	auto op_dup = op->Duplicate();
 	return SetSucc(new VectorCoerceExpr(op_dup, GetType<VectorType>()));
 	}
 ExprPtr ScheduleExpr::Duplicate()
 	{
 	auto when_d = when->Duplicate();
 	auto event_d = event->Duplicate()->AsEventExprPtr();
 	return SetSucc(new ScheduleExpr(when_d, event_d));
 	}
 ExprPtr ScheduleExpr::Inline(Inliner* inl)
 	{
 	when = when->Inline(inl);
 	event = event->Inline(inl)->AsEventExprPtr();
 	return ThisPtr();
 	}
 ExprPtr InExpr::Duplicate()
 	{
 	auto op1_d = op1->Duplicate();
 	auto op2_d = op2->Duplicate();
 	return SetSucc(new InExpr(op1_d, op2_d));
 	}
 ExprPtr CallExpr::Duplicate()
 	{
 	auto func_d = func->Duplicate();
 	auto args_d = args->Duplicate()->AsListExprPtr();
 	auto func_type = func->GetType();
 	auto in_hook = func_type->AsFuncType()->Flavor() == FUNC_FLAVOR_HOOK;
 	return SetSucc(new CallExpr(func_d, args_d, in_hook));
 	}
 ExprPtr CallExpr::Inline(Inliner* inl)
 	{
 	auto new_me = inl->CheckForInlining({NewRef{}, this});
 	if ( new_me.get() != this )
 		return new_me;
 	// We're not inlining, but perhaps our elements should be.
 	func = func->Inline(inl);
 	args = cast_intrusive<ListExpr>(args->Inline(inl));
 	return ThisPtr();
 	}
 ExprPtr LambdaExpr::Duplicate()
 	{
 	auto ingr = std::make_unique<function_ingredients>(*ingredients);
 	ingr->body = ingr->body->Duplicate();
 	return SetSucc(new LambdaExpr(std::move(ingr), outer_ids));
 	}
 ExprPtr LambdaExpr::Inline(Inliner* inl)
 	{
 	// Don't inline these, we currently don't get the closure right.
 	return ThisPtr();
 	}
 ExprPtr EventExpr::Duplicate()
 	{
 	auto args_d = args->Duplicate()->AsListExprPtr();
 	return SetSucc(new EventExpr(name.c_str(), args_d));
 	}
 ExprPtr EventExpr::Inline(Inliner* inl)
 	{
 	args = cast_intrusive<ListExpr>(args->Inline(inl));
 	return ThisPtr();
 	}
 ExprPtr ListExpr::Duplicate()
 	{
 	auto new_l = new ListExpr();
 	loop_over_list(exprs, i)
 		new_l->Append(exprs[i]->Duplicate());
 	return SetSucc(new_l);
 	}
 ExprPtr ListExpr::Inline(Inliner* inl)
 	{
 	loop_over_list(exprs, i)
 		exprs[i] = exprs[i]->Inline(inl).release();
 	return ThisPtr();
 	}
 ExprPtr CastExpr::Duplicate()
 	{
 	return SetSucc(new CastExpr(op->Duplicate(), type));
 	}
 ExprPtr IsExpr::Duplicate()
 	{
 	return SetSucc(new IsExpr(op->Duplicate(), t));
 	}
 InlineExpr::InlineExpr(ListExprPtr arg_args, std::vector<IDPtr> arg_params,
 			StmtPtr arg_body, int _frame_offset, TypePtr ret_type)
 : Expr(EXPR_INLINE), args(std::move(arg_args)), body(std::move(arg_body))
 	{
 	params = std::move(arg_params);
 	frame_offset = _frame_offset;
 	type = std::move(ret_type);
 	}
 bool InlineExpr::IsPure() const
 	{
 	return args->IsPure() && body->IsPure();
 	}
 ValPtr InlineExpr::Eval(Frame* f) const
 	{
 	auto v = eval_list(f, args.get());
 	if ( ! v )
 		return nullptr;
 	int nargs = args->Exprs().length();
 	f->Reset(frame_offset + nargs);
 	f->AdjustOffset(frame_offset);
 	// Assign the arguments.
 	for ( auto i = 0; i < nargs; ++i )
 		f->SetElement(i, (*v)[i]);
 	auto flow = FLOW_NEXT;
 	ValPtr result;
 	try
 		{
 		result = body->Exec(f, flow);
 		}
 	catch ( InterpreterException& e )
 		{
 		f->AdjustOffset(-frame_offset);
 		throw;
 		}
 	f->AdjustOffset(-frame_offset);
 	return result;
 	}
 ExprPtr InlineExpr::Duplicate()
 	{
 	auto args_d = args->Duplicate()->AsListExprPtr();
 	auto body_d = body->Duplicate();
 	return SetSucc(new InlineExpr(args_d, params, body_d, frame_offset, type));
 	}
 TraversalCode InlineExpr::Traverse(TraversalCallback* cb) const
 	{
 	TraversalCode tc = cb->PreExpr(this);
 	HANDLE_TC_EXPR_PRE(tc);
 	tc = args->Traverse(cb);
 	HANDLE_TC_EXPR_PRE(tc);
 	tc = body->Traverse(cb);
 	HANDLE_TC_EXPR_PRE(tc);
 	tc = cb->PostExpr(this);
 	HANDLE_TC_EXPR_POST(tc);
 	}
 void InlineExpr::ExprDescribe(ODesc* d) const
 	{
 	if ( d->IsReadable() || d->IsPortable() )
 		{
 		d->Add("inline(");
 		args->Describe(d);
 		d->Add("){");
 		body->Describe(d);
 		d->Add("}");
 		}
 	else
 		{
 		args->Describe(d);
 		body->Describe(d);
 		}
 	}
 } // namespace zeek::detail
--- a/src/script_opt/Inline.cc
+++ b/src/script_opt/Inline.cc
@ -0,0 +1,239 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "zeek/script_opt/Inline.h"
 #include "zeek/script_opt/ScriptOpt.h"
 #include "zeek/script_opt/ProfileFunc.h"
 #include "zeek/Desc.h"
 namespace zeek::detail {
 void Inliner::Analyze()
 	{
 	// Locate self- and indirectly recursive functions.
 	// Maps each function to any functions that it calls, either
 	// directly or (ultimately) indirectly.
 	std::unordered_map<const Func*, std::unordered_set<const Func*>> call_set;
 	// Prime the call set for each function with the functions it
 	// directly calls.
 	for ( auto& f : funcs )
 		{
 		std::unordered_set<const Func*> cs;
 		// Aspirational ....
 		non_recursive_funcs.insert(f.Func());
 		for ( auto& func : f.Profile()->ScriptCalls() )
 			{
 			cs.insert(func);
 			if ( func == f.Func() )
 				{
 				if ( report_recursive )
 					printf("%s is directly recursive\n",
 						func->Name());
 				non_recursive_funcs.erase(func);
 				}
 			}
 		call_set[f.Func()] = cs;
 		}
 	// Transitive closure.  If we had any self-respect, we'd implement
 	// Warshall's algorithm.  What we do here is feasible though since
 	// Zeek call graphs tend not to be super-deep.  (We could also save
 	// cycles by only analyzing non-[direct-or-indirect] leaves, as
 	// was computed by the previous version of this code.  But in
 	// practice, the execution time for this is completely dwarfed
 	// by the expense of compiling inlined functions, so we keep it
 	// simple.)
 	// Whether a change has occurred.
 	bool did_addition = true;
 	while ( did_addition )
 		{
 		did_addition = false;
 		// Loop over all the functions of interest.
 		for ( auto& c : call_set )
 			{
 			// For each of them, loop over the set of functions
 			// they call.
 			std::unordered_set<const Func*> addls;
 			for ( auto& cc : c.second )
 				{
 				if ( cc == c.first )
 					// Don't loop over ourselves.
 					continue;
 				// For each called function, pull up *its*
 				// set of called functions.
 				for ( auto& ccc : call_set[cc] )
 					{
 					// For each of those, if we don't
 					// already have it, add it.
 					if ( c.second.count(ccc) > 0 )
 						// We already have it.
 						continue;
 					addls.insert(ccc);
 					if ( ccc != c.first )
 						// Non-recursive.
 						continue;
 					if ( report_recursive )
 						printf("%s is indirectly recursive, called by %s\n",
 							c.first->Name(),
 							cc->Name());
 					non_recursive_funcs.erase(c.first);
 					non_recursive_funcs.erase(cc);
 					}
 				}
 			if ( addls.size() > 0 )
 				{
 				did_addition = true;
 				for ( auto& a : addls )
 					c.second.insert(a);
 				}
 			}
 		}
 	for ( auto& f : funcs )
 		// Candidates are non-event, non-hook, non-recursive
 		// functions ... that don't use lambdas or when's,
 		// since we don't currently compute the closures/frame
 		// sizes for them correctly, and more fundamentally since
 		// we don't compile them and hence inlining them will
 		// make the parent non-compilable.
 		if ( f.Func()->Flavor() == FUNC_FLAVOR_FUNCTION &&
 		     non_recursive_funcs.count(f.Func()) > 0 &&
 		     f.Profile()->NumLambdas() == 0 &&
 		     f.Profile()->NumWhenStmts() == 0 )
 			inline_ables.insert(f.Func());
 	for ( auto& f : funcs )
 		{
 		// Processing optimization: only spend time trying to inline f
 		// if we haven't marked it as inlineable.  This trades off a
 		// bunch of compilation load (inlining every single function,
 		// even though almost none will be called directly) for a
 		// modest gain of having compiled code for those rare
 		// circumstances in which a Zeek function can be called
 		// not ultimately stemming from an event (such as global
 		// scripting, or expiration functions).
 		if ( inline_ables.count(f.Func()) == 0 )
 			InlineFunction(&f);
 		}
 	}
 void Inliner::InlineFunction(FuncInfo* f)
 	{
 	max_inlined_frame_size = 0;
 	// It's important that we take the current frame size from the
 	// *scope* and not f->Func().  The latter tracks the maximum required
 	// across all bodies, but we want to track the size for this
 	// particular body.
 	curr_frame_size = f->Scope()->Length();
 	f->Body()->Inline(this);
 	int new_frame_size = curr_frame_size + max_inlined_frame_size;
 	if ( new_frame_size > f->Func()->FrameSize() )
 		f->Func()->SetFrameSize(new_frame_size);
 	}
 ExprPtr Inliner::CheckForInlining(IntrusivePtr<CallExpr> c)
 	{
 	auto f = c->Func();
 	if ( f->Tag() != EXPR_NAME )
 		// We don't inline indirect calls.
 		return c;
 	auto n = f->AsNameExpr();
 	auto func = n->Id();
 	if ( ! func->IsGlobal() )
 		return c;
 	const auto& func_v = func->GetVal();
 	if ( ! func_v )
 		return c;
 	auto function = func_v->AsFunc();
 	if ( function->GetKind() != Func::SCRIPT_FUNC )
 		return c;
 	auto func_vf = static_cast<ScriptFunc*>(function);
 	if ( inline_ables.count(func_vf) == 0 )
 		return c;
 	ListExprPtr args = {NewRef{}, c->Args()};
 	auto body = func_vf->GetBodies()[0].stmts;	// there's only 1 body
 	auto t = c->GetType();
 	// Getting the names of the parameters is tricky.  It's tempting
 	// to take them from the function's type declaration, but alas
 	// Zeek allows forward-declaring a function with one set of parameter
 	// names and then defining a later instance of it with different
 	// names, as long as the types match.  So we have to glue together
 	// the type declaration, which gives us the number of parameters,
 	// with the scope, which gives us all the variables declared in
 	// the function, *using the knowledge that the parameters are
 	// declared first*.
 	auto scope = func_vf->GetScope();
 	auto& vars = scope->OrderedVars();
 	int nparam = func_vf->GetType()->Params()->NumFields();
 	std::vector<IDPtr> params;
 	params.reserve(nparam);
 	for ( int i = 0; i < nparam; ++i )
 		params.emplace_back(vars[i]);
 	auto body_dup = body->Duplicate();
 	// Recursively inline the body.  This is safe to do because we've
 	// ensured there are no recursive loops ... but we have to be
 	// careful in accounting for the frame sizes.
 	int frame_size = func_vf->FrameSize();
 	int hold_curr_frame_size = curr_frame_size;
 	curr_frame_size = frame_size;
 	int hold_max_inlined_frame_size = max_inlined_frame_size;
 	max_inlined_frame_size = 0;
 	body_dup->Inline(this);
 	curr_frame_size = hold_curr_frame_size;
 	int new_frame_size = frame_size + max_inlined_frame_size;
 	if ( new_frame_size > hold_max_inlined_frame_size )
 		max_inlined_frame_size = new_frame_size;
 	else
 		max_inlined_frame_size = hold_max_inlined_frame_size;
 	auto ie = make_intrusive<InlineExpr>(args, std::move(params), body_dup,
 	                                     curr_frame_size, t);
 	ie->SetOriginal(c);
 	return ie;
 	}
 } // namespace zeek::detail
--- a/src/script_opt/Inline.h
+++ b/src/script_opt/Inline.h
@ -0,0 +1,62 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 // Class that manages the process of (recursively) inlining function bodies.
 #pragma once
 #include "zeek/Func.h"
 #include "zeek/Scope.h"
 #include <unordered_set>
 namespace zeek::detail {
 class FuncInfo;
 class Inliner {
 public:
 	// First argument is a collection of information about *all* of
 	// the script functions.  Second argument states whether to report
 	// recursive functions (of interest as they're not in-lineable).
 	Inliner(std::vector<FuncInfo>& _funcs, bool _report_recursive)
 	: funcs(_funcs), report_recursive(_report_recursive)
 		{ Analyze(); }
 	// Either returns the original CallExpr if it's not inline-able,
 	// or an InlineExpr if it is.
 	ExprPtr CheckForInlining(IntrusivePtr<CallExpr> c);
 	// True if the given function has been inlined.
 	bool WasInlined(Func* f)	{ return inline_ables.count(f) > 0; }
 protected:
 	// Driver routine that analyzes all of the script functions and
 	// recursively inlines eligible ones.
 	void Analyze();
 	// Recursively inlines any calls associated with the given function.
 	void InlineFunction(FuncInfo* f);
 	// Information about all of the functions (and events/hooks) in
 	// the full set of scripts.
 	std::vector<FuncInfo>& funcs;
 	// Functions that we've determined to be suitable for inlining.
 	std::unordered_set<Func*> inline_ables;
 	// As we do inlining for a given function, this tracks the
 	// largest frame size of any inlined function.
 	int max_inlined_frame_size;
 	// The size of the frame of the currently-being-inlined function,
 	// prior to increasing it to accommodate inlining.
 	int curr_frame_size;
 	// Whether to generate a report about functions either directly and
 	// indirectly recursive.
 	bool report_recursive;
 };
 } // namespace zeek::detail
--- a/src/script_opt/ProfileFunc.cc
+++ b/src/script_opt/ProfileFunc.cc
@ -0,0 +1,218 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "zeek/script_opt/ProfileFunc.h"
 #include "zeek/Desc.h"
 #include "zeek/Stmt.h"
 #include "zeek/Func.h"
 namespace zeek::detail {
 TraversalCode ProfileFunc::PreStmt(const Stmt* s)
 	{
 	++num_stmts;
 	auto tag = s->Tag();
 	if ( compute_hash )
 		UpdateHash(int(tag));
 	if ( tag == STMT_INIT )
 		{
 		for ( const auto& id : s->AsInitStmt()->Inits() )
 			inits.insert(id.get());
 		// Don't recurse into these, as we don't want to consider
 		// a local that only appears in an initialization as a
 		// relevant local.
 		return TC_ABORTSTMT;
 		}
 	switch ( tag ) {
 	case STMT_WHEN:
 		++num_when_stmts;
 		in_when = true;
 		s->AsWhenStmt()->Cond()->Traverse(this);
 		in_when = false;
 		// It doesn't do any harm for us to re-traverse the
 		// conditional, so we don't bother hand-traversing the
 		// rest of the when but just let the usual processing do it.
 		break;
 	case STMT_FOR:
 		{
 		auto sf = s->AsForStmt();
 		auto loop_vars = sf->LoopVars();
 		auto value_var = sf->ValueVar();
 		for ( auto id : *loop_vars )
 			locals.insert(id);
 		if ( value_var )
 			locals.insert(value_var.get());
 		}
 		break;
 	case STMT_SWITCH:
 		{
 		// If this is a type-case switch statement, then find the
 		// identifiers created so we can add them to our list of
 		// locals.  Ideally this wouldn't be necessary since *surely*
 		// if one bothers to define such an identifier then it'll be
 		// subsequently used, and we'll pick up the local that way ...
 		// but if for some reason it's not, then we would have an
 		// incomplete list of locals that need to be tracked.
 		auto sw = s->AsSwitchStmt();
 		for ( auto& c : *sw->Cases() )
 			{
 			auto idl = c->TypeCases();
 			if ( idl ) 
 				{
 				for ( auto id : *idl )
 					locals.insert(id);
 				}
 			}
 		}
 		break;
 	default:
 		break;
 	}
 	return TC_CONTINUE;
 	}
 TraversalCode ProfileFunc::PreExpr(const Expr* e)
 	{
 	++num_exprs;
 	auto tag = e->Tag();
 	if ( compute_hash )
 		UpdateHash(int(tag));
 	switch ( tag ) {
 	case EXPR_CONST:
 		if ( compute_hash )
 			{
 			CheckType(e->GetType());
 			UpdateHash(e->AsConstExpr()->ValuePtr());
 			}
 		break;
 	case EXPR_NAME:
 		{
 		auto n = e->AsNameExpr();
 		auto id = n->Id();
 		if ( id->IsGlobal() )
 			globals.insert(id);
 		else
 			locals.insert(id);
 		if ( compute_hash )
 			{
 			UpdateHash({NewRef{}, id});
 			CheckType(e->GetType());
 			}
 		break;
 		}
 	case EXPR_CALL:
 		{
 		auto c = e->AsCallExpr();
 		auto f = c->Func();
 		if ( f->Tag() != EXPR_NAME )
 			{
 			does_indirect_calls = true;
 			return TC_CONTINUE;
 			}
 		auto n = f->AsNameExpr();
 		IDPtr func = {NewRef{}, n->Id()};
 		if ( ! func->IsGlobal() )
 			{
 			does_indirect_calls = true;
 			return TC_CONTINUE;
 			}
 		auto func_v = func->GetVal();
 		if ( func_v )
 			{
 			auto func_vf = func_v->AsFunc();
 			if ( func_vf->GetKind() == Func::SCRIPT_FUNC )
 				{
 				auto bf = static_cast<ScriptFunc*>(func_vf);
 				script_calls.insert(bf);
 				if ( in_when )
 					when_calls.insert(bf);
 				}
 			else
 				BiF_calls.insert(func_vf);
 			}
 		else
 			{
 			// We could complain, but for now we don't because
 			// if we're invoked prior to full Zeek initialization,
 			// the value might indeed not there.
 			// printf("no function value for global %s\n", func->Name());
 			}
 		// Recurse into the arguments.
 		auto args = c->Args();
 		args->Traverse(this);
 		return TC_ABORTSTMT;
 		}
 	case EXPR_EVENT:
 		events.insert(e->AsEventExpr()->Name());
 		break;
 	case EXPR_LAMBDA:
 		++num_lambdas;
 		break;
 	default:
 		break;
 	}
 	return TC_CONTINUE;
 	}
 void ProfileFunc::CheckType(const TypePtr& t)
 	{
 	auto& tn = t->GetName();
 	if ( tn.size() > 0 && seen_types.count(tn) > 0 )
 		// No need to hash this in again, as we've already done so.
 		return;
 	if ( seen_type_ptrs.count(t.get()) > 0 )
 		// We've seen the raw pointer, even though it doesn't have
 		// a name.
 		return;
 	seen_types.insert(tn);
 	seen_type_ptrs.insert(t.get());
 	UpdateHash(t);
 	}
 void ProfileFunc::UpdateHash(const IntrusivePtr<zeek::Obj>& o)
 	{
 	ODesc d;
 	o->Describe(&d);
 	std::string desc(d.Description());
 	auto h = std::hash<std::string>{}(desc);
 	MergeInHash(h);
 	}
 } // namespace zeek::detail
--- a/src/script_opt/ProfileFunc.h
+++ b/src/script_opt/ProfileFunc.h
@ -0,0 +1,123 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 // Class for traversing a function body's AST to build up a profile
 // of its various elements.
 #pragma once
 #include "zeek/Expr.h"
 #include "zeek/Stmt.h"
 #include "zeek/Traverse.h"
 namespace zeek::detail {
 class ProfileFunc : public TraversalCallback {
 public:
 	// If the argument is true, then we compute a hash over the function's
 	// AST to (pseudo-)uniquely identify it.
 	ProfileFunc(bool _compute_hash = false)
 		{ compute_hash = _compute_hash; }
 	std::unordered_set<const ID*>& Globals()	{ return globals; }
 	std::unordered_set<const ID*>& Locals()		{ return locals; }
 	std::unordered_set<const ID*>& Inits()		{ return inits; }
 	std::unordered_set<ScriptFunc*>& ScriptCalls()	{ return script_calls; }
 	std::unordered_set<Func*>& BiFCalls()		{ return BiF_calls; }
 	std::unordered_set<ScriptFunc*>& WhenCalls()	{ return when_calls; }
 	std::unordered_set<const char*>& Events()	{ return events; }
 	bool DoesIndirectCalls()		{ return does_indirect_calls; }
 	std::size_t HashVal()	{ return hash_val; }
 	int NumStmts()		{ return num_stmts; }
 	int NumWhenStmts()	{ return num_when_stmts; }
 	int NumExprs()		{ return num_exprs; }
 	int NumLambdas()	{ return num_lambdas; }
 protected:
 	TraversalCode PreStmt(const Stmt*) override;
 	TraversalCode PreExpr(const Expr*) override;
 	// Globals seen in the function.
 	//
 	// Does *not* include globals solely seen as the function being
 	// called in a call.
 	std::unordered_set<const ID*> globals;
 	// Locals seen in the function.
 	std::unordered_set<const ID*> locals;
 	// Same for locals seen in initializations, so we can find
 	// unused aggregates.
 	std::unordered_set<const ID*> inits;
 	// Script functions that this script calls.
 	std::unordered_set<ScriptFunc*> script_calls;
 	// Same for BiF's.
 	std::unordered_set<Func*> BiF_calls;
 	// Script functions appearing in "when" clauses.
 	std::unordered_set<ScriptFunc*> when_calls;
 	// Names of generated events.
 	std::unordered_set<const char*> events;
 	// True if the function makes a call through an expression rather
 	// than simply a function's (global) name.
 	bool does_indirect_calls = false;
 	// Hash value.  Only valid if constructor requested it.
 	std::size_t hash_val = 0;
 	// How many statements / when statements / lambda expressions /
 	// expressions appear in the function body.
 	int num_stmts = 0;
 	int num_when_stmts = 0;
 	int num_lambdas = 0;
 	int num_exprs = 0;
 	// Whether we're separately processing a "when" condition to
 	// mine out its script calls.
 	bool in_when = false;
 	// We only compute a hash over the function if requested, since
 	// it's somewhat expensive.
 	bool compute_hash;
 	// The following are for computing a consistent hash that isn't
 	// too profligate in how much it needs to compute over.
 	// Checks whether we've already noted this type, and, if not,
 	// updates the hash with it.
 	void CheckType(const TypePtr& t);
 	void UpdateHash(int val)
 		{
 		auto h = std::hash<int>{}(val);
 		MergeInHash(h);
 		}
 	void UpdateHash(const IntrusivePtr<Obj>& o);
 	void MergeInHash(std::size_t h)
 		{
 		// Taken from Boost.  See for example
 		// https://www.boost.org/doc/libs/1_35_0/doc/html/boost/hash_combine_id241013.html
 		// or
 		// https://stackoverflow.com/questions/4948780/magic-number-in-boosthash-combine
 		hash_val ^= h + 0x9e3779b9 + (hash_val << 6) + (hash_val >> 2);
 		}
 	// Types that we've already processed.  Hashing types can be
 	// quite expensive since some of the common Zeek record types
 	// (e.g., notices) are huge, so useful to not do them more than
 	// once.  We track two forms, one by name (if available) and one
 	// by raw pointer (if not).  Doing so allows us to track named
 	// sub-records but also records that have no names.
 	std::unordered_set<std::string> seen_types;
 	std::unordered_set<const Type*> seen_type_ptrs;
 };
 } // namespace zeek::detail
--- a/src/script_opt/ScriptOpt.cc
+++ b/src/script_opt/ScriptOpt.cc
@ -0,0 +1,65 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "zeek/Options.h"
 #include "zeek/script_opt/ScriptOpt.h"
 #include "zeek/script_opt/ProfileFunc.h"
 #include "zeek/script_opt/Inline.h"
 namespace zeek::detail {
 std::unordered_set<const Func*> non_recursive_funcs;
 // Tracks all of the loaded functions (including event handlers and hooks).
 static std::vector<FuncInfo> funcs;
 FuncInfo::FuncInfo(ScriptFuncPtr _func, ScopePtr _scope, StmtPtr _body)
 		: func(std::move(_func)), scope(std::move(_scope)), body(std::move(_body))
 	{}
 void FuncInfo::SetProfile(std::unique_ptr<ProfileFunc> _pf)
 	{ pf = std::move(_pf); }
 void analyze_func(ScriptFuncPtr f)
 	{
 	funcs.emplace_back(f, ScopePtr{NewRef{}, f->GetScope()}, f->CurrentBody());
 	}
 static void check_env_opt(const char* opt, bool& opt_flag)
 	{
 	if ( getenv(opt) )
 		opt_flag = true;
 	}
 void analyze_scripts(Options& opts)
 	{
 	auto& analysis_options = opts.analysis_options;
 	static bool did_init = false;
 	if ( ! did_init )
 		{
 		check_env_opt("ZEEK_INLINE", analysis_options.inliner);
 		did_init = true;
 		}
 	if ( ! analysis_options.inliner )
 		return;
 	for ( auto& f : funcs )
 		{
 		f.SetProfile(std::make_unique<ProfileFunc>(true));
 		f.Body()->Traverse(f.Profile());
 		}
 	Inliner* inl = nullptr;
 	if ( analysis_options.inliner )
 		inl = new Inliner(funcs, analysis_options.report_recursive);
 	delete inl;
 	}
 } // namespace zeek::detail
--- a/src/script_opt/ScriptOpt.h
+++ b/src/script_opt/ScriptOpt.h
@ -0,0 +1,72 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 // Classes for controlling/orchestrating script optimization & compilation.
 #pragma once
 #include "zeek/Func.h"
 #include "zeek/Expr.h"
 #include "zeek/Scope.h"
 namespace zeek { struct Options; }
 namespace zeek::detail {
 // Flags controlling what sorts of analysis to do.
 struct AnalyOpt {
 	// If true, do global inlining.
 	bool inliner = false;
 	// If true, report which functions are directly and indirectly
 	// recursive, and exit.  Only germane if running the inliner.
 	bool report_recursive = false;
 };
 class ProfileFunc;
 using ScriptFuncPtr = IntrusivePtr<ScriptFunc>;
 // Info we need for tracking an instance of a function.
 class FuncInfo {
 public:
 	FuncInfo(ScriptFuncPtr _func, ScopePtr _scope, StmtPtr _body);
 	ScriptFunc* Func()	{ return func.get(); }
 	ScriptFuncPtr FuncPtr()	{ return func; }
 	ScopePtr Scope()	{ return scope; }
 	StmtPtr Body()		{ return body; }
 	ProfileFunc* Profile()	{ return pf.get(); }
 	const std::string& SaveFile()	{ return save_file; }
 	void SetProfile(std::unique_ptr<ProfileFunc> _pf);
 	void SetSaveFile(std::string _sf)	{ save_file = std::move(_sf); }
 protected:
 	ScriptFuncPtr func;
 	ScopePtr scope;
 	StmtPtr body;
 	std::unique_ptr<ProfileFunc> pf;
 	// If we're saving this function in a file, this is the name
 	// of the file to use.
 	std::string save_file;
 };
 // We track which functions are definitely not recursive.  We do this
 // as the negative, rather than tracking functions known to be recursive,
 // so that if we don't do the analysis at all (it's driven by inlining),
 // we err on the conservative side and assume every function is recursive.
 extern std::unordered_set<const Func*> non_recursive_funcs;
 // Analyze a given function for optimization.
 extern void analyze_func(ScriptFuncPtr f);
 // Analyze all of the parsed scripts collectively for optimization.
 extern void analyze_scripts(Options& opts);
 } // namespace zeek::detail
--- a/src/script_opt/Stmt.cc
+++ b/src/script_opt/Stmt.cc
@ -0,0 +1,212 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 // Optimization-related methods for Stmt classes.
 #include "zeek/Stmt.h"
 #include "zeek/Expr.h"
 namespace zeek::detail {
 void ExprListStmt::Inline(Inliner* inl)
 	{
 	auto& e = l->Exprs();
 	for ( auto i = 0; i < e.length(); ++i )
 		e.replace(i, e[i]->Inline(inl).release());
 	}
 StmtPtr PrintStmt::Duplicate()
 	{
 	return SetSucc(new PrintStmt(l->Duplicate()->AsListExprPtr()));
 	}
 StmtPtr ExprStmt::Duplicate()
 	{
 	return SetSucc(new ExprStmt(e ? e->Duplicate() : nullptr));
 	}
 void ExprStmt::Inline(Inliner* inl)
 	{
 	if ( e )
 		e = e->Inline(inl);
 	}
 StmtPtr IfStmt::Duplicate()
 	{
 	return SetSucc(new IfStmt(e->Duplicate(), s1->Duplicate(),
 					s2->Duplicate()));
 	}
 void IfStmt::Inline(Inliner* inl)
 	{
 	ExprStmt::Inline(inl);
 	if ( s1 )
 		s1->Inline(inl);
 	if ( s2 )
 		s2->Inline(inl);
 	}
 IntrusivePtr<Case> Case::Duplicate()
 	{
 	if ( expr_cases )
 		{
 		auto new_exprs = expr_cases->Duplicate()->AsListExprPtr();
 		return make_intrusive<Case>(new_exprs, type_cases, s->Duplicate());
 		}
 	else
 		return make_intrusive<Case>(nullptr, type_cases, s->Duplicate());
 	}
 StmtPtr SwitchStmt::Duplicate()
 	{
 	auto new_cases = new case_list;
 	loop_over_list(*cases, i)
 		new_cases->append((*cases)[i]->Duplicate().release());
 	return SetSucc(new SwitchStmt(e->Duplicate(), new_cases));
 	}
 void SwitchStmt::Inline(Inliner* inl)
 	{
 	ExprStmt::Inline(inl);
 	for ( auto c : *cases )
 		// In principle this can do the operation multiple times
 		// for a given body, but that's no big deal as repeated
 		// calls won't do anything.
 		c->Body()->Inline(inl);
 	}
 StmtPtr AddStmt::Duplicate()
 	{
 	return SetSucc(new AddStmt(e->Duplicate()));
 	}
 StmtPtr DelStmt::Duplicate()
 	{
 	return SetSucc(new DelStmt(e->Duplicate()));
 	}
 StmtPtr EventStmt::Duplicate()
 	{
 	return SetSucc(new EventStmt(e->Duplicate()->AsEventExprPtr()));
 	}
 StmtPtr WhileStmt::Duplicate()
 	{
 	return SetSucc(new WhileStmt(loop_condition->Duplicate(),
 					body->Duplicate()));
 	}
 void WhileStmt::Inline(Inliner* inl)
 	{
 	loop_condition = loop_condition->Inline(inl);
 	if ( loop_cond_stmt )
 		loop_cond_stmt->Inline(inl);
 	if ( body )
 		body->Inline(inl);
 	}
 StmtPtr ForStmt::Duplicate()
 	{
 	auto expr_copy = e->Duplicate();
 	auto new_loop_vars = new zeek::IDPList;
 	loop_over_list(*loop_vars, i)
 		{
 		auto id = (*loop_vars)[i];
 		zeek::Ref(id);
 		new_loop_vars->append(id);
 		}
 	ForStmt* f;
 	if ( value_var )
 		f = new ForStmt(new_loop_vars, expr_copy, value_var);
 	else
 		f = new ForStmt(new_loop_vars, expr_copy);
 	f->AddBody(body->Duplicate());
 	return SetSucc(f);
 	}
 void ForStmt::Inline(Inliner* inl)
 	{
 	ExprStmt::Inline(inl);
 	body->Inline(inl);
 	}
 StmtPtr ReturnStmt::Duplicate()
 	{
 	return SetSucc(new ReturnStmt(e ? e->Duplicate() : nullptr, true));
 	}
 ReturnStmt::ReturnStmt(ExprPtr arg_e, bool ignored)
 	: ExprStmt(STMT_RETURN, std::move(arg_e))
 	{
 	}
 StmtPtr StmtList::Duplicate()
 	{
 	auto new_sl = new StmtList();
 	for ( auto& stmt : Stmts() )
 		new_sl->Stmts().push_back(stmt->Duplicate().release());
 	return SetSucc(new_sl);
 	}
 void StmtList::Inline(Inliner* inl)
 	{
 	for ( const auto& stmt : Stmts() )
 		stmt->Inline(inl);
 	}
 StmtPtr InitStmt::Duplicate()
 	{
 	// Need to duplicate the initializer list since later reductions
 	// can modify it in place.
 	std::vector<IDPtr> new_inits;
 	for ( auto id : inits )
 		new_inits.push_back(id);
 	return SetSucc(new InitStmt(new_inits));
 	}
 StmtPtr WhenStmt::Duplicate()
 	{
 	auto cond_d = cond->Duplicate();
 	auto s1_d = s1->Duplicate();
 	auto s2_d = s2 ? s2->Duplicate() : nullptr;
 	auto timeout_d = timeout ? timeout->Duplicate() : nullptr;
 	return SetSucc(new WhenStmt(cond_d, s1_d, s2_d, timeout_d, is_return));
 	}
 void WhenStmt::Inline(Inliner* inl)
 	{
 	// Don't inline, since we currently don't correctly capture
 	// the frames of closures.
 	}
 } // namespace zeek::detail
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@ -54,6 +54,8 @@ extern "C" {
 #include "zeek/ScannedFile.h"
 #include "zeek/Frag.h"
 #include "zeek/script_opt/ScriptOpt.h"
 #include "zeek/supervisor/Supervisor.h"
 #include "zeek/threading/Manager.h"
 #include "zeek/input/Manager.h"
@ -779,6 +781,14 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 			}
 		}
 	analyze_scripts(options);
 	auto& analysis_options = options.analysis_options;
 	if ( analysis_options.report_recursive )
 		// This option is report-and-exit.
 		exit(0);
 	if ( dns_type != DNS_PRIME )
 		run_state::detail::init_run(options.interface, options.pcap_file, options.pcap_output_file, options.use_watchdog);
--- a/testing/btest/Baseline.dup/coverage.zeek-profiler-file/step1.out
+++ b/testing/btest/Baseline.dup/coverage.zeek-profiler-file/step1.out
@ -0,0 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 0	./profiling-test1.zeek, line 2	print new conn;
--- a/testing/btest/Baseline.dup/coverage.zeek-profiler-file/step2.out
+++ b/testing/btest/Baseline.dup/coverage.zeek-profiler-file/step2.out
@ -0,0 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 0	./profiling-test1.zeek, line 2	print new conn;
--- a/testing/btest/Baseline.dup/coverage.zeek-profiler-file/step3.out
+++ b/testing/btest/Baseline.dup/coverage.zeek-profiler-file/step3.out
@ -0,0 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 0	./profiling-test1.zeek, line 2	print new conn;
 0	./profiling-test2.zeek, line 2	print new conn;
--- a/testing/btest/Baseline.dup/language.deprecated/no-warnings.out
+++ b/testing/btest/Baseline.dup/language.deprecated/no-warnings.out
@ -0,0 +1,41 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 warning in ./no-warnings.zeek, line 27: deprecated (ONE)
 warning in ./no-warnings.zeek, line 28: deprecated (TWO)
 warning in ./no-warnings.zeek, line 30: deprecated (GREEN)
 warning in ./no-warnings.zeek, line 31: deprecated (BLUE)
 warning in ./no-warnings.zeek, line 33: deprecated (blah)
 warning in ./no-warnings.zeek, line 37: deprecated (my_event)
 warning in ./no-warnings.zeek, line 38: deprecated (my_event)
 warning in ./no-warnings.zeek, line 39: deprecated (my_hook)
 warning in ./no-warnings.zeek, line 41: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 42: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 43: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 45: deprecated (my_record?$b)
 warning in ./no-warnings.zeek, line 46: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 49: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record?$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record?$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 52: deprecated (my_event)
 warning in ./no-warnings.zeek, line 57: deprecated (my_hook)
 warning in ./no-warnings.zeek, line 62: deprecated (blah)
 warning in ./no-warnings.zeek, line 71: deprecated (dont_use_me)
 warning in ./no-warnings.zeek, line 76: deprecated (dont_use_me_either)
 ZERO
 ONE
 TWO
 RED
 GREEN
 BLUE
 generate my_hook please
 generate my_event please
 schedule my_event please
--- a/testing/btest/Baseline.dup/language.deprecated/warnings.out
+++ b/testing/btest/Baseline.dup/language.deprecated/warnings.out
@ -0,0 +1,41 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 warning in ./warnings.zeek, line 27: deprecated (ONE): one warning
 warning in ./warnings.zeek, line 28: deprecated (TWO): two warning
 warning in ./warnings.zeek, line 30: deprecated (GREEN): green warning
 warning in ./warnings.zeek, line 31: deprecated (BLUE): red warning
 warning in ./warnings.zeek, line 33: deprecated (blah): type warning
 warning in ./warnings.zeek, line 37: deprecated (my_event): event warning
 warning in ./warnings.zeek, line 38: deprecated (my_event): event warning
 warning in ./warnings.zeek, line 39: deprecated (my_hook): hook warning
 warning in ./warnings.zeek, line 41: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 42: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 43: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 45: deprecated (my_record?$b): record warning
 warning in ./warnings.zeek, line 46: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 49: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record?$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record?$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 52: deprecated (my_event): event warning
 warning in ./warnings.zeek, line 57: deprecated (my_hook): hook warning
 warning in ./warnings.zeek, line 62: deprecated (blah): type warning
 warning in ./warnings.zeek, line 71: deprecated (dont_use_me): global function warning
 warning in ./warnings.zeek, line 76: deprecated (dont_use_me_either): function warning
 ZERO
 ONE
 TWO
 RED
 GREEN
 BLUE
 generate my_hook please
 generate my_event please
 schedule my_event please
--- a/testing/btest/Baseline.dup/plugins.hooks/output
+++ b/testing/btest/Baseline.dup/plugins.hooks/output
--- a/testing/btest/Baseline.dup/scripts.base.frameworks.input.reread/out
+++ b/testing/btest/Baseline.dup/scripts.base.frameworks.input.reread/out
--- a/testing/btest/Baseline.inline/bifs.backtrace/out
+++ b/testing/btest/Baseline.inline/bifs.backtrace/out
@ -0,0 +1,7 @@
 --- Backtrace ---
 --- Backtrace ---
 --- Backtrace ---
--- a/testing/btest/Baseline.inline/broker.store.invalid-handle/out
+++ b/testing/btest/Baseline.inline/broker.store.invalid-handle/out
@ -0,0 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 expression error in <no location>: invalid Broker store handle (0), during call: (Broker::__is_closed(Broker::h))
 error in <...>/invalid-handle.zeek, line 6: invalid Broker store handle (Broker::keys(a) and 0)
 keys, [status=Broker::FAILURE, result=[data=<uninitialized>]]
--- a/testing/btest/Baseline.inline/language.index-assignment-invalid/out
+++ b/testing/btest/Baseline.inline/language.index-assignment-invalid/out
@ -0,0 +1,5 @@
 runtime error in /Users/vern/warehouse/zeek-bvu-change/scripts/base/utils/queue.zeek, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=<uninitialized>], expression: Queue::ret[Queue::j], call stack: 
 #0 zeek_init() 
--- a/testing/btest/Baseline.inline/plugins.func-hook/output
+++ b/testing/btest/Baseline.inline/plugins.func-hook/output
@ -0,0 +1 @@
 foo, 1, 2, 3, yo
--- a/testing/btest/Baseline.inline/plugins.hooks/output
+++ b/testing/btest/Baseline.inline/plugins.hooks/output
--- a/testing/btest/Baseline.inline/plugins.legacy-func-hook/output
+++ b/testing/btest/Baseline.inline/plugins.legacy-func-hook/output
@ -0,0 +1 @@
 foo, 1, 2, 3, yo
--- a/testing/btest/Baseline.inline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout
+++ b/testing/btest/Baseline.inline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout
@ -0,0 +1,9 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 error: file ID asdf not a known file
 This should fail but not crash
 This should return F
 F
 lookup fid: FMnxxt3xjVcWNS2141
 We should have found the file id: FMnxxt3xjVcWNS2141
 This should return T
 T
--- a/testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.basic/out
+++ b/testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.basic/out
@ -0,0 +1,160 @@
 [source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (8 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
 [source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (8 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
 [source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (8 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 q3r3057fdf
 [source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (8 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 sdfs\d
 [source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (8 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 [source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (8 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 dfsdf
 [source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (8 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 sdf
 [source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (8 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 3rw43wRRERLlL#RWERERERE.
--- a/testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.execute/out
+++ b/testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.execute/out
@ -0,0 +1,15 @@
 [source=wc -l ../input.log |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=Val, want_record=F, ev=line
 { 
 print outfile, description;
 print outfile, tpe;
 print outfile, s;
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 8 ../input.log
--- a/testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.rereadraw/out
+++ b/testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.rereadraw/out
@ -0,0 +1,320 @@
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 q3r3057fdf
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 sdfs\d
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 dfsdf
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 sdf
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 3rw43wRRERLlL#RWERERERE.
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 q3r3057fdf
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 sdfs\d
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 dfsdf
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 sdf
 [source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
 { 
 print outfile, A::description;
 print outfile, A::tpe;
 print outfile, A::s;
 try = try + 1;
 if (16 == try) 
 { 
 inline(input){{ 
 return (Input::__remove_stream(Input::id));
 }};
 close(outfile);
 terminate();
 }
 }, error_ev=<uninitialized>, config={
 }]
 Input::EVENT_NEW
 3rw43wRRERLlL#RWERERERE.
--- a/testing/btest/Baseline.inline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline.inline/scripts.policy.misc.dump-events/all-events-no-args.log
@ -0,0 +1,236 @@
         0.000000 zeek_init
         0.000000 NetControl::init
         0.000000 filter_change_tracking
 1254722767.492060 Broker::log_flush
 1254722767.492060 ChecksumOffloading::check
 1254722767.492060 filter_change_tracking
 1254722767.492060 new_connection
 1254722767.492060 dns_message
 1254722767.492060 dns_request
 1254722767.492060 protocol_confirmation
 1254722767.492060 dns_end
 1254722767.526085 dns_message
 1254722767.526085 dns_CNAME_reply
 1254722767.526085 dns_A_reply
 1254722767.526085 dns_end
 1254722767.529046 new_connection
 1254722767.875996 connection_established
 1254722768.219663 smtp_reply
 1254722768.219663 smtp_reply
 1254722768.219663 smtp_reply
 1254722768.224809 protocol_confirmation
 1254722768.224809 smtp_request
 1254722768.565386 Broker::log_flush
 1254722768.566183 smtp_reply
 1254722768.566183 smtp_reply
 1254722768.566183 smtp_reply
 1254722768.566183 smtp_reply
 1254722768.566183 smtp_reply
 1254722768.566183 smtp_reply
 1254722768.568729 smtp_request
 1254722768.911081 smtp_reply
 1254722768.911655 smtp_request
 1254722769.253544 smtp_reply
 1254722769.254118 smtp_request
 1254722769.613798 Broker::log_flush
 1254722769.613798 smtp_reply
 1254722769.614414 smtp_request
 1254722769.956765 smtp_reply
 1254722769.957250 smtp_request
 1254722770.319708 smtp_reply
 1254722770.320203 smtp_request
 1254722770.320203 mime_begin_entity
 1254722770.661679 Broker::log_flush
 1254722770.661679 smtp_reply
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 mime_begin_entity
 1254722770.692743 mime_one_header
 1254722770.692743 mime_begin_entity
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 get_file_handle
 1254722770.692743 file_new
 1254722770.692743 file_over_new_connection
 1254722770.692743 mime_end_entity
 1254722770.692743 get_file_handle
 1254722770.692743 file_sniff
 1254722770.692743 file_state_remove
 1254722770.692743 get_file_handle
 1254722770.692743 mime_begin_entity
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
 1254722770.692743 get_file_handle
 1254722770.692743 file_new
 1254722770.692743 file_over_new_connection
 1254722770.692804 mime_end_entity
 1254722770.692804 get_file_handle
 1254722770.692804 file_sniff
 1254722770.692804 file_state_remove
 1254722770.692804 get_file_handle
 1254722770.692804 mime_end_entity
 1254722770.692804 get_file_handle
 1254722770.692804 get_file_handle
 1254722770.692804 mime_begin_entity
 1254722770.692804 mime_one_header
 1254722770.692804 mime_one_header
 1254722770.692804 mime_one_header
 1254722770.692804 get_file_handle
 1254722770.692804 file_new
 1254722770.692804 file_over_new_connection
 1254722770.695115 new_connection
 1254722771.494181 file_sniff
 1254722771.834595 Broker::log_flush
 1254722771.858334 mime_end_entity
 1254722771.858334 get_file_handle
 1254722771.858334 file_state_remove
 1254722771.858334 get_file_handle
 1254722771.858334 mime_end_entity
 1254722771.858334 get_file_handle
 1254722771.858334 get_file_handle
 1254722771.858334 get_file_handle
 1254722771.858334 get_file_handle
 1254722771.858334 smtp_request
 1254722772.248789 smtp_reply
 1254722774.763825 Broker::log_flush
 1254722774.763825 smtp_request
 1254722775.105467 smtp_reply
 1254722776.690444 Broker::log_flush
 1254722776.690444 new_connection
 1437831776.764391 ChecksumOffloading::check
 1437831776.764391 connection_state_remove
 1437831776.764391 Broker::log_flush
 1437831776.764391 connection_state_remove
 1437831776.764391 connection_state_remove
 1437831776.764391 connection_state_remove
 1437831776.764391 filter_change_tracking
 1437831776.764391 new_connection
 1437831787.856895 Broker::log_flush
 1437831787.856895 new_connection
 1437831787.861602 connection_established
 1437831787.867142 smtp_reply
 1437831787.883306 protocol_confirmation
 1437831787.883306 smtp_request
 1437831787.886281 smtp_reply
 1437831787.886281 smtp_reply
 1437831787.886281 smtp_reply
 1437831787.886281 smtp_reply
 1437831787.887031 smtp_request
 1437831787.889785 smtp_reply
 1437831787.890232 smtp_request
 1437831787.892986 smtp_reply
 1437831787.893587 smtp_request
 1437831787.897624 smtp_reply
 1437831787.898413 smtp_request
 1437831787.901069 smtp_reply
 1437831787.901697 smtp_request
 1437831787.901697 mime_begin_entity
 1437831787.904758 smtp_reply
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 mime_one_header
 1437831787.905375 get_file_handle
 1437831787.905375 file_new
 1437831787.905375 file_over_new_connection
 1437831787.905375 mime_end_entity
 1437831787.905375 get_file_handle
 1437831787.905375 file_sniff
 1437831787.905375 file_state_remove
 1437831787.905375 get_file_handle
 1437831787.905375 get_file_handle
 1437831787.905375 get_file_handle
 1437831787.905375 smtp_request
 1437831787.914113 smtp_reply
 1437831798.533593 Broker::log_flush
 1437831798.533593 new_connection
 1437831799.262632 new_connection
 1437831799.461152 new_connection
 1437831799.610433 Broker::log_flush
 1437831799.610433 connection_established
 1437831799.611764 ssl_extension_server_name
 1437831799.611764 ssl_extension
 1437831799.611764 ssl_extension
 1437831799.611764 ssl_extension
 1437831799.611764 ssl_extension
 1437831799.611764 ssl_extension
 1437831799.611764 protocol_confirmation
 1437831799.611764 ssl_client_hello
 1437831799.611764 ssl_handshake_message
 1437831799.611764 ssl_plaintext_data
 1437831799.764576 ssl_extension
 1437831799.764576 ssl_server_hello
 1437831799.764576 ssl_handshake_message
 1437831799.764576 file_new
 1437831799.764576 file_over_new_connection
 1437831799.764576 file_sniff
 1437831799.764576 file_hash
 1437831799.764576 file_hash
 1437831799.764576 x509_certificate
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_ext_basic_constraints
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_ext_subject_alternative_name
 1437831799.764576 file_hash
 1437831799.764576 file_state_remove
 1437831799.764576 file_new
 1437831799.764576 file_over_new_connection
 1437831799.764576 file_sniff
 1437831799.764576 file_hash
 1437831799.764576 file_hash
 1437831799.764576 x509_certificate
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_ext_basic_constraints
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 file_hash
 1437831799.764576 file_state_remove
 1437831799.764576 ssl_handshake_message
 1437831799.764576 ssl_handshake_message
 1437831799.764576 ssl_plaintext_data
 1437831799.838196 ssl_handshake_message
 1437831799.838196 ssl_plaintext_data
 1437831799.838197 ssl_change_cipher_spec
 1437831799.838197 ssl_plaintext_data
 1437831800.045701 ssl_change_cipher_spec
 1437831800.045701 ssl_plaintext_data
 1437831800.045701 ssl_established
 1437831800.217854 net_done
 1437831800.217854 Broker::log_flush
 1437831800.217854 filter_change_tracking
 1437831800.217854 connection_state_remove
 1437831800.217854 connection_state_remove
 1437831800.217854 connection_state_remove
 1437831800.217854 connection_state_remove
 1437831800.217854 connection_state_remove
 1437831800.217854 zeek_done
 1437831800.217854 ChecksumOffloading::check
--- a/testing/btest/Baseline.inline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline.inline/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/Baseline.inline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline.inline/scripts.policy.misc.dump-events/really-all-events.log
--- a/testing/btest/Baseline.inline/scripts.policy.misc.dump-events/smtp-events.log
+++ b/testing/btest/Baseline.inline/scripts.policy.misc.dump-events/smtp-events.log
@ -0,0 +1,320 @@
 1254722768.219663 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 220
                  [3] cmd: string        = >
                  [4] msg: string        = xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 
                  [5] cont_resp: bool    = T
 1254722768.219663 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 220
                  [3] cmd: string        = >
                  [4] msg: string        = We do not authorize the use of this system to transport unsolicited, 
                  [5] cont_resp: bool    = T
 1254722768.219663 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 220
                  [3] cmd: string        = >
                  [4] msg: string        = and/or bulk e-mail.
                  [5] cont_resp: bool    = F
 1254722768.224809 smtp_request
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=695.0 msecs 762.872696 usecs, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = EHLO
                  [3] arg: string        = GP
 1254722768.566183 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = EHLO
                  [4] msg: string        = xc90.websitewelcome.com Hello GP [122.162.143.157]
                  [5] cont_resp: bool    = T
 1254722768.566183 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = EHLO
                  [4] msg: string        = SIZE 52428800
                  [5] cont_resp: bool    = T
 1254722768.566183 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = EHLO
                  [4] msg: string        = PIPELINING
                  [5] cont_resp: bool    = T
 1254722768.566183 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = EHLO
                  [4] msg: string        = AUTH PLAIN LOGIN
                  [5] cont_resp: bool    = T
 1254722768.566183 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = EHLO
                  [4] msg: string        = STARTTLS
                  [5] cont_resp: bool    = T
 1254722768.566183 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = EHLO
                  [4] msg: string        = HELP
                  [5] cont_resp: bool    = F
 1254722768.568729 smtp_request
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 39.0 msecs 682.865143 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = AUTH
                  [3] arg: string        = LOGIN
 1254722768.911081 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 382.0 msecs 35.017014 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 334
                  [3] cmd: string        = AUTH
                  [4] msg: string        = VXNlcm5hbWU6
                  [5] cont_resp: bool    = F
 1254722768.911655 smtp_request
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 382.0 msecs 608.890533 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = **
                  [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 1254722769.253544 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 724.0 msecs 498.033524 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 334
                  [3] cmd: string        = AUTH_ANSWER
                  [4] msg: string        = UGFzc3dvcmQ6
                  [5] cont_resp: bool    = F
 1254722769.254118 smtp_request
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 725.0 msecs 71.907043 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = **
                  [3] arg: string        = cHVuamFiQDEyMw==
 1254722769.613798 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 84.0 msecs 751.844406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 235
                  [3] cmd: string        = AUTH_ANSWER
                  [4] msg: string        = Authentication succeeded
                  [5] cont_resp: bool    = F
 1254722769.614414 smtp_request
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 85.0 msecs 367.918015 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = MAIL
                  [3] arg: string        = FROM: <gurpartap@patriots.in>
 1254722769.956765 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 427.0 msecs 718.877792 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = MAIL
                  [4] msg: string        = OK
                  [5] cont_resp: bool    = F
 1254722769.957250 smtp_request
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 428.0 msecs 204.059601 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = RCPT
                  [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 1254722770.319708 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 790.0 msecs 662.050247 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = RCPT
                  [4] msg: string        = Accepted
                  [5] cont_resp: bool    = F
 1254722770.320203 smtp_request
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 791.0 msecs 157.007217 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = DATA
                  [3] arg: string        = 
 1254722770.661679 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.0 secs 132.0 msecs 632.97081 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 354
                  [3] cmd: string        = DATA
                  [4] msg: string        = Enter message, ending with "." on a line by itself
                  [5] cont_resp: bool    = F
 1254722771.858334 smtp_request
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = .
                  [3] arg: string        = .
 1254722772.248789 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.0 secs 719.0 msecs 743.013382 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = .
                  [4] msg: string        = OK id=1Mugho-0003Dg-Un
                  [5] cont_resp: bool    = F
 1254722774.763825 smtp_request
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.0 secs 234.0 msecs 778.881073 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = QUIT
                  [3] arg: string        = 
 1254722775.105467 smtp_reply
                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.0 secs 576.0 msecs 421.022415 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 221
                  [3] cmd: string        = QUIT
                  [4] msg: string        = xc90.websitewelcome.com closing connection
                  [5] cont_resp: bool    = F
 1437831787.867142 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=10.0 msecs 246.992111 usecs, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 220
                  [3] cmd: string        = >
                  [4] msg: string        = uprise ESMTP SubEthaSMTP null
                  [5] cont_resp: bool    = F
 1437831787.883306 smtp_request
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=26.0 msecs 411.056519 usecs, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = EHLO
                  [3] arg: string        = [192.168.133.100]
 1437831787.886281 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = EHLO
                  [4] msg: string        = uprise
                  [5] cont_resp: bool    = T
 1437831787.886281 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = EHLO
                  [4] msg: string        = 8BITMIME
                  [5] cont_resp: bool    = T
 1437831787.886281 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = EHLO
                  [4] msg: string        = AUTH LOGIN
                  [5] cont_resp: bool    = T
 1437831787.886281 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = EHLO
                  [4] msg: string        = Ok
                  [5] cont_resp: bool    = F
 1437831787.887031 smtp_request
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=30.0 msecs 136.108398 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = MAIL
                  [3] arg: string        = FROM:<albert@example.com>
 1437831787.889785 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=32.0 msecs 890.081406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = MAIL
                  [4] msg: string        = Ok
                  [5] cont_resp: bool    = F
 1437831787.890232 smtp_request
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=33.0 msecs 337.116241 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = RCPT
                  [3] arg: string        = TO:<ericlim220@yahoo.com>
 1437831787.892986 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=36.0 msecs 91.089249 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = RCPT
                  [4] msg: string        = Ok
                  [5] cont_resp: bool    = F
 1437831787.893587 smtp_request
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=36.0 msecs 692.142487 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = RCPT
                  [3] arg: string        = TO:<felica4uu@hotmail.com>
 1437831787.897624 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=40.0 msecs 729.045868 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = RCPT
                  [4] msg: string        = Ok
                  [5] cont_resp: bool    = F
 1437831787.898413 smtp_request
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=41.0 msecs 517.972946 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = RCPT
                  [3] arg: string        = TO:<davis_mark1@outlook.com>
 1437831787.901069 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=44.0 msecs 173.955917 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = RCPT
                  [4] msg: string        = Ok
                  [5] cont_resp: bool    = F
 1437831787.901697 smtp_request
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=44.0 msecs 801.950455 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = DATA
                  [3] arg: string        = 
 1437831787.904758 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=47.0 msecs 863.006592 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 354
                  [3] cmd: string        = DATA
                  [4] msg: string        = End data with <CR><LF>.<CR><LF>
                  [5] cont_resp: bool    = F
 1437831787.905375 smtp_request
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = .
                  [3] arg: string        = .
 1437831787.914113 smtp_reply
                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=57.0 msecs 218.074799 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = .
                  [4] msg: string        = Ok
                  [5] cont_resp: bool    = F
--- a/testing/btest/Baseline/opt.pure-inlining/output
+++ b/testing/btest/Baseline/opt.pure-inlining/output
@ -0,0 +1,10 @@
 non_recursiveA\x0a{ \x0areturn (x + (coerce 2 to double) * y);\x0a}
 non_recursiveB\x0a{ \x0areturn (x + (coerce 3 to double) * non_recursiveA(y, x));\x0a}
 recursive\x0a{ \x0aif (0 < n) \x0a\x09return (recursive(n - 1, k + 1) * n);\x0aelse\x0a\x09return (k);\x0a\x0a}
 mutually_recursiveA\x0a{ \x0aif (0 < n) \x0a\x09return (mutually_recursiveB(n - 1, k + 1) * n);\x0aelse\x0a\x09return (k);\x0a\x0a}
 mutually_recursiveB\x0a{ \x0areturn (mutually_recursiveA(n, k + 1));\x0a}
 my_handler\x0a{ \x0aprint inline((coerce -3 to double), (coerce 2 to double)){{ \x0areturn (x + (coerce 2 to double) * y);\x0a}};\x0aprint inline((coerce -3 to double), (coerce 2 to double)){{ \x0areturn (x + (coerce 3 to double) * inline(y, x){{ \x0areturn (x + (coerce 2 to double) * y);\x0a}});\x0a}};\x0aprint recursive(5, 7);\x0aprint mutually_recursiveA(6, 4);\x0a}
 1.0
 -15.0
 1440
 11520
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@ -32,3 +32,31 @@ ZEEK_DISABLE_ZEEKYGEN=1
 ZEEK_ALLOW_INIT_ERRORS=1
 ZEEK_SUPERVISOR_NO_SIGKILL=1
 UBSAN_OPTIONS=print_stacktrace=1
 [environment-AST-dup]
 # Environment for testing AST duplication functionality, which is
 # needed for script optimization but isn't otherwise exercised.
 #
 # 5 tests differ, for the following reasons:
 #
 # language.deprecated
 #	Some deprecation messages get reported multiple times, first when
 #	constructing the original AST node, and then when duplicating it.
 #
 # scripts.base.frameworks.input.reread
 # plugins.hooks
 #	When lambdas are duplicated they get a new UID, which differs
 #	from the original.
 #
 # coverage.zeek-profiler-file
 #	Not sure what's going on here, but best guess the problem is
 #	that the coverage tracking is looking for execution of the
 #	original statements and is not able to associate the duplicated
 #	statements with these.  Doesn't seem worth trying to fix.
 #
 ZEEK_DUPLICATE_ASTS=1
 BTEST_BASELINE_DIR=%(testbase)s/Baseline.dup:%(testbase)s/Baseline
 [environment-inline]
 ZEEK_INLINE=1
 BTEST_BASELINE_DIR=%(testbase)s/Baseline.inline:%(testbase)s/Baseline
--- a/testing/btest/opt/pure-inlining.zeek
+++ b/testing/btest/opt/pure-inlining.zeek
@ -0,0 +1,67 @@
 # @TEST-EXEC: zeek -b -O inline %INPUT >output
 # @TEST-EXEC: btest-diff output
 # Tests pure inlining of scripts (no other optimization/compilation used).
 # The non-recursive functions should be (recursively!) inlined into the
 # body of my_handler, while neither the directly-recursive nor the
 # mutually recursive ones should be.  We print out each function body
 # in its transformed form (format %S) to test this.
 function non_recursiveA(x: double, y: double): double
 	{
 	return x + 2 * y;
 	}
 function non_recursiveB(x: double, y: double): double
 	{
 	# When printed, this function's body will *not* indicate inlining,
 	# because this function is itself inlined (and thus will not be
 	# called directly, so we avoid the work of inlining it itself).
 	#
 	# We reverse arguments in the call to make sure that parameters get
 	# correctly assigned when executing inlined blocks.
 	return x + non_recursiveA(y, x) * 3;
 	}
 function recursive(n: count, k: count): count
 	{
 	if ( n > 0 )
 		return n * recursive(n-1, k + 1);
 	else
 		return k;
 	}
 global mutually_recursiveB: function(n: count, k: count): count;
 function mutually_recursiveA(n: count, k: count): count
 	{
 	if ( n > 0 )
 		return n * mutually_recursiveB(n-1, k + 1);
 	else
 		return k;
 	}
 function mutually_recursiveB(n: count, k: count): count
 	{
 	return mutually_recursiveA(n, k + 1);
 	}
 event my_handler()
 	{
 	print non_recursiveA(-3, 2);
 	print non_recursiveB(-3, 2);
 	print recursive(5, 7);
 	print mutually_recursiveA(6, 4);
 	}
 event zeek_init()
 	{
 	print fmt("%S", non_recursiveA);
 	print fmt("%S", non_recursiveB);
 	print fmt("%S", recursive);
 	print fmt("%S", mutually_recursiveA);
 	print fmt("%S", mutually_recursiveB);
 	print fmt("%S", my_handler);
 	event my_handler();
 	}
--- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.zeek
+++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.zeek
@ -6,6 +6,9 @@
 event zeek_init()
 	{
 	print "This should fail but not crash";
 	# The following produces a run-time warning, "non-void function
 	# returning without a value" ... but not when inlined, since then
 	# there's no call to a script function occurring.
 	print Files::lookup_file("asdf");
 	print "This should return F";
		`@ -1 +1 @@`
			`Subproject commit 00f69a62ae6e755d9655208e601a3a4c29ff8b5a`				`Subproject commit 624e5525f54d4a15c35687d42301045f1769d3e1`
		`@ -1 +1 @@`
			`Subproject commit 0622e88cef0e4cf9e0843af2a78a039a99ae8744`				`Subproject commit c33447a02166dc8e2f436b6c0411891431a04d13`
		`@ -1 +1 @@`
			`Subproject commit ec0c30e767fc0cbf943384766fd26c37871e8626`				`Subproject commit e82cb55903a1991ac75542f0d8a2fd57d46133b2`
		`@ -1 +1 @@`
			`Subproject commit 5b85a7620ed28ac2c4c96e43621d1e10b39e5ae3`				`Subproject commit b820f9d73221882a5f9932849ff8c15a58ea5bde`
		`@ -1 +1 @@`
			`Subproject commit 7f44a91c409dec11da94945343888801d99bc856`				`Subproject commit b2ce33bc3e4f57a72cd7bb7db2e3c7dc62e7a202`
		`@ -1 +1 @@`
			`Subproject commit 132d91817d60d872af094eda55757e3f58716541`				`Subproject commit e2cee1d50a66a11391fefe896b2f18e64849009e`
		`@ -1 +1 @@`
			`Subproject commit 2be57664680c23dc3b3b140f45c7bc5ab61256b1`				`Subproject commit 74259745dea5ee4889d1ac1f4ebde4e2c59c329a`
		`@ -0,0 +1,2 @@`
							`### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.`
							`0 ./profiling-test1.zeek, line 2 print new conn;`
		`@ -0,0 +1,5 @@`
							`runtime error in /Users/vern/warehouse/zeek-bvu-change/scripts/base/utils/queue.zeek, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=<uninitialized>], expression: Queue::ret[Queue::j], call stack:`
							`#0 zeek_init()`